...............................3?................................1............................1...22 What is the communication flow when using taskflows in Financial Management? ...3?
The following diagram shows a typical architecture for a Planning deployment:
What is the typical architecture for a Planning deployment for EPM System 11...........1.........1..............................1.....................19 What is the basic architecture of the Shared Services security system? ............................17 What is the typical architecture for an FDM deployment for EPM System 11.....23 How does Lifecycle Management (LCM) interact with each EPM System product? .........25
What is the typical architecture for a Planning deployment for EPM System 11..........1........1
In This Chapter
Architecture
What is the typical architecture for a Planning deployment for EPM System 11...................1......16 What is the typical architecture for a Performance Management Architect deployment for EPM System 11.....................1.13 What is the typical architecture for a Financial Management deployment for EPM System 11.............................3? .1.........18 What is the typical architecture for a Profitability and Cost Management deployment for EPM System 11.................3? .......3? .......................1...........1.......1...............1.....................15 What is the typical architecture for a Reporting and Analysis deployment for EPM System 11...20 How do EPM System products communicate with Shared Services for auditing purposes? ........1...................14 What is the typical architecture for an Essbase deployment for EPM System 11...1.............3?......1......................1..............................1..3?..............3?
13
...........3?.........

What is the typical architecture for a Financial Management deployment for EPM System 11. Clients not in front of a VIP/Load Balancer communicate directly with their respective servers.1. Please refer to the Performance Management Architect diagram for detailed information on EPMA components.Note: The EPMA box in the diagram above represents all components of Performance
Management Architect (EPMA).1.3?
The following diagram shows a typical architecture for a Financial Management deployment:
14
Architecture
.

1.1.3?
The following diagram shows a typical architecture for an Essbase deployment:
What is the typical architecture for an Essbase deployment for EPM System 11.
What is the typical architecture for an Essbase deployment for EPM System 11.1.3?
15
.Note: The EPMA box in the diagram above represents all components of Performance
Management Architect (EPMA).1. Please refer to the Performance Management Architect diagram for detailed information on EPMA components. Clients not in front of a VIP/Load Balancer communicate directly with their respective servers.

Note: The EPMA box in the diagram above represents all components of Performance

Management Architect (EPMA). Please refer to the Performance Management Architect diagram for detailed information on EPMA components. Clients not in front of a VIP/Load Balancer communicate directly with their respective servers.

What is the typical architecture for a Reporting and Analysis deployment for EPM System 11.1.1.3?
The following diagram shows a typical architecture for a Reporting and Analysis deployment:

16

Architecture

Note: Clients not in front of a VIP/Load Balancer communicate directly with their respective

servers.

What is the typical architecture for a Performance Management Architect deployment for EPM System 11.1.1.3?
The following diagram shows a typical architecture for a Performance Management Architect deployment:

What is the typical architecture for a Performance Management Architect deployment for EPM System 11.1.1.3?

17

Note: Clients not in front of a VIP/Load Balancer communicate directly with their respective

servers.

What is the typical architecture for an FDM deployment for EPM System 11.1.1.3?
The following diagram shows a typical architecture for an FDM deployment:

18

Architecture

1.3?
19
.3?
The following diagram shows a typical architecture for a Profitability and Cost Management deployment:
What is the typical architecture for a Profitability and Cost Management deployment for EPM System 11.1.1.Note: Clients not in front of a VIP/Load Balancer communicate directly with their respective
servers.1.
What is the typical architecture for a Profitability and Cost Management deployment for EPM System 11.

The web application hosts the user interface for managing security. The relational database contains the schemas for storing the registration files and the EPM System registry. a Native Directory based on OpenLDAP or OID (in 11. and a relational database repository. where administrators can provision users and groups with appropriate roles and permissions on applications.
20
Architecture
. Please refer to the Performance Management Architect diagram for detailed information on EPMA components. including creation of native users and groups. It also provides the provisioning user interface.x).1.
What is the basic architecture of the Shared Services security system?
Shared Services consists of a web application.Note: The EPMA box in the diagram above represents all components of Performance
Management Architect (EPMA).1. Clients not in front of a VIP/Load Balancer communicate directly with their respective servers. A key feature of Shared Services is to provide common security services (CSS) to all EPM System products.

Note: In the case of Essbase.Types of communication between products and Shared Services:
q
Registration:
r
Products interact with Shared Services during application and product registration. The registration happens either by the EPM System Configurator after installation or during new application creation and re-registration. it registers the name of the Administration Services Server in order for Shared Services to render the access control assignment user interface for Essbase as described in the Access Control section. Some of the registration information is also written to the Shared Services Registry where the calls are made over JDBC. products specify their application and product information to Shared Services along with any application roles that they support. This information is in turn used by Shared Services during provisioning and when making any call backs to the products. The registration information is persisted in a relational database. The calls to persist and obtain registration information are made over WebDAV/HTTP. Provisioning and Role Authorization: Native Directory. Native Directory also contains the application
What is the basic architecture of the Shared Services security system?
r
r
r
21
. based on OpenLDAP or OID. is used for provisioning purposes to create native users and groups and also to create groups based on the external or corporate LDAP-based directories. As part of the registration process.

groups.
How do EPM System products communicate with Shared Services for auditing purposes?
The following graphic depicts communication among EPM System products and Shared Services for auditing:
22
Architecture
. All products interact with the providers (OpenLDAP and other external providers) directly using the CSS client component within the product. database. The web app/component of each product in turn communicates with the services of their respective product. All products interact with the native directory for obtaining the provisioning based information like the roles assigned to the application or product. LDAP. Access Control or Preference Assignment: Shared Services communicates over HTTP to the web component of each product when either assigning Access Control or Preferences. or SAP) as a source for corporate users and groups that need access to EPM System applications.
q
Authentication: Shared Services works with external providers or directories (such as MSAD.

The Shared Services Web application will persist this information in the database. In turn. the Profitability and Cost Management product calls the audit APIs to audit other product actions. the user interface for taskflow definition is hosted by Shared Services. 2. Financial Management makes a call to Shared Services for the following:
r r r r r
Define Taskflow General tab of Taskflow definition Processing tab of Taskflow Starting an event Viewing of Taskflow status
What is the communication flow when using taskflows in Financial Management?
23
. Audit the action: The products audit each action and simply pass this information to the audit handler.
What is the communication flow when using taskflows in Financial Management?
q
Design Time When you are designing a taskflow in Financial Management. Enable auditing: Administrators enable auditing for each product within Shared Services and define what actions need to be audited. These calls are HTTP-based. Persist audit information: The registration information is persisted in the Shared Serviced database. except for the member selector interface. In addition. 3.All products interact with the Shared Services Web application for auditing Lifecycle Management and security actions. 1. 5. 4. Audit handler: The audit handler within the product will then check if auditing is enabled for that action and in turn invoke an HTTP call to Shared Services to persist the information. 1. Register auditable areas: Each product registers the areas or components of their products that need to support auditing with Shared Services.

Financial Management makes an internal call to the Financial Management server when you are selecting members from any dimension in the member selector interface.
24
Architecture
.2.

q

Run Time When a taskflow is executed at the scheduled time, Shared Services contacts Financial Management over HTTP to execute each stage.

How does Lifecycle Management (LCM) interact with each EPM System product?
The LCM utility (are we talking about the command line utility only???)and the Shared Services Web application communicate with the products over the following protocols to obtain a list of artifacts from each product. This list is displayed in Shared Services Console.
q

Financial Management: The Shared Services Web application and the LCM utility communicate over SOAP web service to the Financial Management LCM Web service on IIS. This Financial Management LCM Web service in turn communicates to the Financial Management Service over DCOM. Reporting and Analysis: The Shared Services Web application and the LCM utility communicate over TCP/IP to the EPM Workspace Core Service. Planning: The Shared Services Web application and the LCM utility communicate over HTTP to the Planning Web application. The Planning Web application in turn communicates with Essbase for Essbase artifacts.

q

q

How does Lifecycle Management (LCM) interact with each EPM System product?

25

q

Essbase: The Shared Services Web application and the LCM utility communicate over TCP/ IP to the Essbase server. Performance Management Architect: The Shared Services Web application and the LCM utility communicate over HTTP to the Performance Management Architect Web tier. The Web tier communicates with Process Manager over .NET and the Dimension Sever over SOAP as it is hosted in IIS and is a Web service.

q

26

Architecture

2
In This Chapter

Patches and Upgrades

When attempting to apply an 11.1.1.x maintenance release to an existing EPM System installation, why is the option not available in EPM System Installer?..............................................27 When upgrading Shared Services from 9.3.0 to 9.3.1, the installer doesn't detect the previous version and continues as a fresh installation instead of an upgrade. Why doesn’t it detect the previous version?.....................................................................................................28 After applying css-9_3_1.jar from Shared Services 9.3.1.1 on EPM System products, if a product releases a patch, do I need to re-apply the css-9_3_1.jar from 9.3.1.1?...........................29 When trying to apply an EPM System product patch with OPatch, why do I receive this error: “OPatchSession cannot load inventory for the given Oracle Home”?.................................30 I have a patch for the correct platform, but an error is returned with I try to apply the patch. How can I apply the patch? .........................................................................................31 What are the significant deployment issues that are resolved in EPM System Release 11.1.1.3? ...............................................................................................................32 What is the process for applying patches to existing installations when there is a JRE or JDK patch that must be applied?.....................................................................................32 Where can I find all patches released for EPM System? ...............................................34 What is new in Shared Services 9.3.1 Service Pack 1 and when is it available? ..................34 NOTICE: Development recommends that all Financial Management customers with more than 500 users on release 9.3.1 apply the Financial Management Service Fix 9.3.1.0.48. ..................35

When attempting to apply an 11.1.1.x maintenance release to an existing EPM System installation, why is the option not available in EPM System Installer?
This may happen if the user doing the upgrade is not the same user that performed the initial installation. EPM System installations and upgrades need to be done by the same user. We recommend whenever possible to use the same user for installation and maintenance of a deployment.

® To be able to apply the maintenance release on an existing installation performed by another
user, follow these steps:

1

Copy the .hyperion.<hostname> file from the $HOME directory of User1 to the $HOME directory of User2. Change the ownership to User2.

When attempting to apply an 11.1.1.x maintenance release to an existing EPM System installation, why is the option not available in EPM System Installer?

27

Product.ProductResources.
Now User2 can apply the maintenance release. If 9.properties file is missing or is out of sync with the files actually installed. this file is the %WINDIR% directory.0|1|0|false| |true|3|eIEProductBean|9| 3|0|0|Release 9.
When upgrading Shared Services from 9.3.i18n.1 was installed in a different directory than Shared Services 9.hyperion.3.3.3.1.com| |/ vol1/hss930_bad|0|0|1|eIESuite|9|3|0|0|9.propertiesfile cannot be found.hyperion. Change the ownership of $BEA_HOME or $WebSphere_HOME to User2 if you are using WebLogic or WebSphere application servers.0.vendorName)|www.0 OpenLDAP service. proceed as a new installation and configuration.0 is installed in the directory /vol1/ hss930_bad. For example.hyperion.0. it is in the $HOME directory of the user that installed the Hyperion products.
eIEProductBean|9|3|0|0|Release 9.hyperion.0.
eIEProductBean|9|3|0|0|Release 9.cis.0.0|1=eIEReference_Essbase XTD Interoperability Services|Essbase Interoperability Services|Essbase XTD Interoperability Services| $L(com.properties file and do a global replace of the installation folder with the correct one.properties file. the entry shown below in the vpd.3.0.0 to 9.sh file from the $HOMEdirectory of User1 to the $HOME directory of User2.2 3 4
Copy the set_hyphome_<hostname>_1. Why doesn’t it detect the previous version?
The previous version is not detected because the vpd. Product.3.
28
Patches and Upgrades
.i18n. Change the ownership of $HYPERION_HOME and all subfolders/files to User2.vendorName)|www.0.0 database repository during Shared Services database configuration.0|1
2
Edit the file and globally replace the old installation directory with the correct one. Try the upgrade installation again and the upgrade should be recognized and processed. If the vpd.0 OR if the vpd.0|1|0|false| |true|3|eIEProductBean| 9|3|0|0|Release 9.0.ProductResources. On UNIX.
On Windows. the installer doesn't detect the previous version and continues as a fresh installation instead of an upgrade. follow these steps:
4 5
a.0. Shutdown the 9.com| |/ vol1/hss930_good|0|0|1|eIESuite|9|3|0|0|9.0.0. but be sure to re-use the existing 9.0.0|1=eIEReference_Essbase XTD Interoperability Services|Essbase Interoperability Services|Essbase XTD Interoperability Services| $L(com.0.properties file shows that Shared Services 9.cis.3. Change the ownership to User2.0|1
3
Always keep a backup copy of the original vpd.3.3.3.3.3.properties file was missing and cannot be found.
® Steps to recover:
1
Edit the vpd. Install and configure the new Shared Services. For example.3.

1.3.1.3.6. Start 9.jar from 9.mf file.jar file and locate the Manifest. Extract the contents of this css-9_3_1.ear.jar from Shared Services 9. if a product releases a patch. c.3.
After applying css-9_3_1.3.00 Build 79 Drop 14 (June 8 2009)
Financial Management.1 Service Pack 1 (9.1 on EPM System products.jar file from 9.1.3. and EPM Workspace package the css. This file should contain the following information:
Manifest-Version: 1.
Note: Doing a global change on the path may affect other products installed on the machine.3.1.5 Created-By: Hyperion Solutions Corporation Specification-Title: Common Security Services Specification-Vendor: Hyperion Solutions Corporation Specification-Version: 9.3.3.1 installation. Administration Services Console. if the product patch doesn’t already contain the css-9_3_1. You can verify the manifest information as below: J2EE Web-app based products such as Planning.1.jar file in the respective ear/war file under the WEB-INF/lib directory.1.79 Implementation-Title: Common Security Services Implementation-Vendor: Hyperion Solutions Corporation Implementation-Version: 9.jar file.00. You can verify this by looking at the size of the css-9_3_1.1?
Yes.1.1.Patch Number 8677305.0 Ant-Version: Apache Ant 1.1.
After applying css-9_3_1.1.1/lib directory.3.mf file should be 9. Click Patches and Updates and do a Simple Search by Patch Number 8677305. do I need to re-apply the css-9_3_1. Essbase.3.1) for instructions to apply the service pack to the products. and you must check the manifest information from the css-9_3_1.war and locate the css-9_3_1.jar from Shared Services 9. eas. Using Winzip or a jar utility.3.1 Shared Services and OpenLDAP. extract the contents of the ear/war file such as Planning. if a product releases a patch.1?
29
.1. and Reporting and Analysis core services refer to the css.jar file from this location.b.1 on EPM System products.1.ear. or Workspace. do I need to re-apply the css-9_3_1.jar file and/or manifest information.3. See the Readme for Hyperion Shared Services 9.jar from the Hyperion_Home/commom/CSS/9.1.00 Build 79 Drop 14 (June 8 2009). Copy all the files from:
%HYPERION_HOME%/openLDAP/var/openldap-data (Windows) or $HYPERION_HOME/openLDAP/usr/local/var/openldap-data (UNIX)
to the same directory under the 9.jar from 9. The size should be 2808 KB and Implementation-Version in the Manifest.3. This service pack is available on My Oracle Support (previously Metalink) .

When trying to apply an EPM System product patch with OPatch, why do I receive this error: “OPatchSession cannot load inventory for the given Oracle Home”?
Possible causes for this error include:
q q q

The inventory folder wasn't created under HYPERION_HOME during the installation. The Oracle Central Inventory is not writable by the user. You didn’t use hpatch to apply the patch, or the full path to the patch was not provided. Proper patch syntax is: Windows: hpatch.bat apply <full-path-to-patch-folder> UNIX: hpatch.sh apply <full-path-to-patch-folder>

® Actions to take:
1 2
Verify that HYPERION_HOME has an inventory folder. Verify that the Central Inventory folder on the system is writable by the current user; if not, you must resolve this to proceed.

On Windows, the Central Inventory is located in: <SystemDrive>:\Program Files
\Oracle\Inventory

On UNIX, an oraInst.log file determines the location for the Central Inventory; the file may be located in a number of locations but two likely locations are /etc and $HOME.

3

If step 2 is resolved or is not an issue, but the inventory folder is missing, follow the steps in "Steps to recreate inventory" below to recreate it.

Sometimes the inventory folder is there but is not complete; if steps 1-3 still do not enable patching, delete the existing HYPERION_HOME/inventory folder and use "Steps to recreate inventory" below to recreate it.

I have a patch for the correct platform, but an error is returned with I try to apply the patch. How can I apply the patch?
The following error is returned when trying to apply the patch:
OPatch [ 233: System OPatch detects Platform ID 215 while this patch supports the following platforms : MS Windows NT, ] intact, OPatch will not attempt to restore the system failed with error code = 73

The issue is related to the correct platform ID not being set by 11.1.1.0 and 11.1.1.1 and has been typically seen with only the Windows OS. To work around the issue, add the snippet in bold below to the <Hyperion_Home>/inventory/ContentsXML/ oraclehomeproperties.xml file (even though the file says not to modify the content of the file manually):
<?xml version="1.0" standalone="yes" ?> <!-- Copyright (c) 1999, 2009, Oracle. All rights reserved. --> <!-- Do not modify the contents of this file by hand. --> <ORACLEHOME_INFO> <GUID>648216744#.#1344751757</GUID> <HOME/> <ARU_PLATFORM_INFO> <ARU_ID>233</ARU_ID> </ARU_PLATFORM_INFO> </ORACLEHOME_INFO>

I have a patch for the correct platform, but an error is returned with I try to apply the patch. How can I apply the patch?

31

For ARU_ID, supply the number shown as the supported platform by the patch, typically 912 for Windows 32-bit and 233 for Windows 64-bit. Caution: Do this only when you are absolutely certain that you have downloaded the correct patch for your platform.

What are the significant deployment issues that are resolved in EPM System Release 11.1.1.3?
The following deployment issues are resolved in the EPM System 11.1.1.3 release:
q

The logical host name entered by the user in EPM System Configurator is no longer converted into canonical form. This was known to cause issues with DNS-based load balancers. Shared Services, Essbase Administration Services, and Analytic Provider Services are now automatically configured to be fronted by the Web server by EPM System Configurator. Active-Active high availability is now supported for Shared Services. See the following white paper for more information: http://www.oracle.com/technology/products/bi/pdf/ epm_hss_active_active_clusters_wp.pdf Lifecycle Management supports the export of Deployment Metadata artifacts in a Windows environment. Prior to this release, there was an issue on Windows related to long filenames that prevented Deployment Metadata from being exported. A number of Lifecycle Management functionality defects are fixed across all products. A number of issues related to using OPatch, especially for client-tier components, have been addressed. Maintenance upgrades no longer require the manual step of rolling back previous patches. Prior to this release, if patches were applied to a deployment, maintenance upgrades would not update the patched files; customers had to remove the patched files before applying the maintenance upgrade. Patch roll backs are no longer required in the maintenance upgrade cycle. Note that patched files on previous releases are overwritten with new binaries. Before upgrading, please ensure through Support that your required patches are already fixed in the 11.1.1.3 release.

q

q

q

q q

q

What is the process for applying patches to existing installations when there is a JRE or JDK patch that must be applied?
Support for JRE and JDK updates for EPM System is provided in accordance with the policy for supporting platform software subsequent maintenance. For EPM System releases prior to 11.1.1.2, this policy is documented in the EPM System Installation Start Here. For EPM System releases 11.1.1.2 and later, this policy is documented in the Oracle Enterprise Performance Management System - Supported Platforms Matrices. The policy states:

32

Patches and Upgrades

where vendors assert backward compatibility.5. subsequent maintenance releases and service packs may be used. If an incompatibility is identified. Example:
Supported JRE Version as Documented JRE 1. In EPM System.08)JRE 1.5.0_15 (JRE 5.
Platform Windows 32 Windows 64 Linux 32 Linux 64 Solaris AIX HP-UX Vendor of JRE Installed by EPM System Sun Sun Sun Sun Sun IBM HP
What is the process for applying patches to existing installations when there is a JRE or JDK patch that must be applied?
33
. Example:
Supported JRE Version as Documented JRE 1.0
This is the location where it should be applied.16) Example of a “Subsequent Maintenance Release” Supported
You can download the patch or the latest version of the supported JRE for your platform and apply it following the instructions available with the patch. Therefore.0_12 (JRE 5.5. Oracle will specify a patch release on which the product should be deployed (and remove the incompatible version from the supported matrix) or provide a maintenance release or service fix to the Oracle product code.“Oracle acknowledges and supports the backward compatibility assertions made by third-party vendors. the JRE is installed in one of the following locations:
q q
32-bit: <Hyperion_Home>/common/JRE/<Vendor>/1.0 Update 12) Example of a “Subsequent Maintenance Release” Supported JRE 1.5.5. “maintenance releases” are considered the last two digits of the JRE version number.0_16 (aka JRE 5. “maintenance releases” are considered “the SR Level.0 Update 15)
For IBM JRE.” Example:
Supported JRE Version as Documented JRE 1.0 64-bit: <Hyperion_Home>/common/JRE-64/<Vendor>/1.5.” For Sun JRE.5.0. This is the JAVA_HOME for the JRE used by EPM System. maintenance releases are identified as the “update number”.0_08 (aka JRE 5.0 SR5 Example of a “Subsequent Maintenance Release” Supported JRE .0.0 SR10
For HP JRE.5.

1. enter a portion of the product name.3. and Business Rules Improved System 9 login performance Improved provisioning performance in Shared Services Console Faster startup of System 9 products Improved performance while using the Import/Export Utility Support for Custom Authentication Module Mechanism to periodically change the encryption key to better secure System 9 Restricted access in Shared Services Console
q
Performance Fixes:
r
r r r r q
New Features:
r r r
34
Patches and Upgrades
.01 through Service Fix Release 9. Planning.13.1 Service Pack 1 and when is it available?
Shared Services Release 9. Click “Oracle. including Service Fix Release 9. Siebel and Hyperion “Products”.3. Click on the “Search by Hierarchy” button.1 codeline.0.0.3. If you know the patch number: Click “Simple Search”.3. Enter the patch number in the “Search by” field. formerly Metalink 3. located at the top-right hand side of the page.1.1 Service Pack 1 (9.1.3.xx installation. like %essbase%.
What is new in Shared Services 9.Where can I find all patches released for EPM System?
® To find EPM System patches:
1 2 3 4 5 6 7 8 9
Log onto My Oracle Support.3. Click the flashlight icon next to the “Product or Family field”. and enter %hyperion% in the text field. If you do not know the patch number: Click “Advanced Search”.00) contains all the service fixes available on the 9.3. Click on the “Patches and Downloads” tab. Or.1.0. 2009.0 base release installation or to any 9.1. you can navigate to specific patches. if you are looking for a specific product. This service pack is available as of June 17. From there.1.3. Select “All Products” in the Search drop-down. This service pack can be applied to any 9. This service pack includes:
q
Enhancements to Infrastructure Support:
r
High availability support for Shared Services web application and OpenLDAP using Oracle Clusterware Improved performance while listing users and groups in Workspace.

This issue does not exist in any 11.1. With this service pack.x releases.1. you can now cluster Shared Services Web application and OpenLDAP using Oracle Clusterware 11.3. The problem may not surface in a test environment because it requires both a large user population and a large number of concurrent users.48 (patch number 8675984) solves this problem by removing this call under normal conditions.1 apply the Financial Management Service Fix 9.3. This problem is due to a WebDAV call made from Financial Management to the Shared Services server.
NOTICE: Development recommends that all Financial Management customers with more than 500 users on release 9.0.0.
With a large number of logins and a large user population.3.48.3. Financial Management’s open application can become progressively slow as the Shared Services CPU utilization reaches 100%. Whitepapers that describe how to set up Clusterware for these products (for Windows and UNIX) are available in the whitepaper library on OTN: http://www.
35
.1 apply the Financial Management Service Fix 9. This problem can surface only in production environments.1.3.0.q
Important Functional Defect Fixes: Bugs fixed in this service pack cover the following functional areas:
r r r r r r
Essbase Security refresh Projects listing in Shared Services Console Application status listing in Shared Services Console Calls made to user directory servers Financial Management taskflows Update Native Directory Utility
For more information.1.com/technology/products/bi/resourcelibrary. Financial Management Service Fix 9.1 to ensure high availability and failover.html
NOTICE: Development recommends that all Financial Management customers with more than 500 users on release 9.48. see the Readme for SP1.oracle.1.

36
Patches and Upgrades
.

.x releases? ...................................39 Can Performance Management Architect run on UNIX?...............42 Does EPM System support Microsoft Active Directory (MSAD) 2008 as a User Directory? .............. EPM System Configurator sometimes disables (grays out) a configuration task that has not yet been completed........................... and Performance Management Architect all run on the same 64-bit Windows machine?........45 Does EPM System support console mode and silent installations? .... the database configuration panel allows all products’ schema to be put into one database....................... and 11g?..............46 Why does configuration fail with the error message: “Register with Shared Services task failed”? .............45 What is the best way to determine which zip files I need to download for an EPM System product installation from eDelivery? .......................................41 Does FDM 9.....................43 Which versions of FDM support Oracle RAC? ....45 Can I use the 64-bit version of the SQL Server database with the EPM System 11..........................................................................48 If an EPM System 11................................46 Why does EPM System Configurator sometimes change the server name I have entered? ...................1......................... FDM.......................1.................... What can I do? ............................46 EPM System client installers are too large to copy to each client machine........................................50
37
.40 What is the support policy on Citrix XenApp and what are the known issues? ......45 In EPM System Configurator................................................................................................x installation aborts...........................42 Can I use Financial Management in a 64-bit Environment?......................... I enter a valid host that I can ping but receive an error “Hostname is not valid or is not reachable”.......................42 Are Reporting and Analysis deployment (Financial Reporting and Web Analysis) supported on UNIX when used with Financial Management deployments? .................................................................................. Are there any tips for handling such large installation files for each client? ..................................48 When doing Advanced setup during Web application deployment in EPM System Configurator.... How can I reset this flag and perform the configuration again?.....40 What are the EPM System support policies for OpenLDAP and Tomcat? ....48 How can I deploy Web applications to WebLogic using EPM System Configurator when the WebLogic Admin server is running on a non-7001 port? .40 What is the policy for supporting EPM System deployed to virtual environments? ..........................3................................3
In This Chapter
Installation/Deployment
Where can I find the latest platform certification matrix for EPM system? .............................................................47 What is the Start | Stop command for the Interactive Reporting Service on Linux? .. Is it best practice to put all products in one database? .39 Can Financial Management................................................. 10g.....................................................1.................................................... What is the best way to change the Shared Services Registry to reflect this change?................... Strategic Finance...................1.......1 support Oracle Database 9i.......................................................................................47 A hostname has changed.

66
38
Installation/Deployment
...........59 Why is EPM System Configurator having issues with resolving some hostnames....................................52 Does EPM 11.... it reverted back to the original information................... such as: "server-1.......................58 Is installing EPM System 11.................domain_s9"? .... I am running the installation software from a mapped drive.........................” How do I redeploy the Web applications using EPM System Configurator? ...... we cannot set up the cluster host and port via the Advanced Setup during Web application deployment in EPM System Configurator..................... However........................................ EPM System Uninstaller still detects installed products....................................... Are recent service packs supported? ..........................log: “ERROR............. one Shared Services to manage security for both Dev and Test environments)? .................... but...........................................................51 Can I run EPM System Configurator after configuration is completed to set the Admin Mail Server settings (for job...........................1..............52 I updated the instance files in Shared Services with the correct server name.............................1.....................64 Are SSL accelerator devices supported? ....................................57 Is there a way to deploy the Shared Services database schema without using EPM System Configurator? ................................................................................ What are the steps needed to do this for the 9.related notifications)? ......................x release?..............................................x release? ... Admin server does not start.............................. Deployment failed............................... Is there a way to run SQL scripts against the database instead of using EPM System Configurator?......................................................................... why can’t EPM Workspace find it? ................................ I have configured IIS to run on port 1801...............50 When I change the port or server name of a Web application................................................................................................. port number.....60 I have changed the WebLogic Admin username and password..........1. How do I make the changes permanent? ....................................................................................61 I need to move OpenLDAP to another machine............. does it write to this directory? ..... EPM System Configurator displays the port as 80 during Web server configuration........52 How do I re-register Reporting and Analysis if I accidentally deleted its registration information from Shared Services? .......1.... How can I update this port? ....................... After I restart Shared Services.........................53 I am trying to use Windows Integrated Authentication to connect to the EPM database? Is this supported? ............58 My OS vendor offers a more recent service pack than the one specified in the EPM System Supported Platforms Matrices...................57 I do not want EPM System Configurator to create or add tables to the database schema........................3...1..............How do I deploy additional instances of Financial Reporting Print Servers?..............57 Why does EPM System Installer hang at 99% as it attempts to create the Oracle Inventory? .....................................62 Can I use one instance of Shared Services to manage security for two environments (for example............................ and now I see the following error in configtool_err..... and protocol......................................61 How do I move OpenLDAP to another machine in the EPM System 11....x support reverse proxy in the Web tier? ..........1.......3 client tools from a network drive supported? ............. How do I set this up? .........58 After uninstalling EPM System products...53 The default port for IIS is port 80..................................................................................64 Is SSL connection to the database supported in EPM System? ................................64 Does EPM System support wildcard SSL certificates? ........54 Is it possible to install two different versions of EPM System on Windows operating system? ........................................................59 Why does the license for WebLogic Server bundled with EPM System on eDelivery impose usage restrictions? ...........................................53 For Planning..................64 Can I secure the Apache instance shipped with EPM System using SSL? ..................................

..71
Where can I find the latest platform certification matrix for EPM system?
You may be aware that it is the practice of Oracle Fusion Middleware (FMW) Product Development to document and publish “supported platform matrixes” as Excel Spreadsheets........ but a single IIS instance cannot simultaneously support 32-bit and 64-bit applications.x................ and Financial Reporting Studio clients? ...... supported with EPM System 11.....1...... Interactive Reporting Studio.. This limitation has implications for EPM System 11........1......................................1......conf file under workspace/ web-inf/conf) was used to enable or disable custom or external authentication....2 (Dickens) follows FMW conventions............ Going forward.0.1..... Where are these settings in 11...1. IIS 6....1. I receive the error “ActiveX component can't create object”..x EPM System Configurator? .
Can Financial Management..70 Are there any recommendations with regards to anti-virus settings for EPM System? ......... the local service configurator (or the ws.... FDM (32-bit) and Strategic Finance (32-bit) cannot be deployed on the same computer where Financial Management (64-bit) and Performance Management Architect (64-bit) are deployed............. on the Oracle Enterprise Performance Management System – Supported Platforms Matrices page...... all EPM System products can co-exist............... a user cannot log in to EPM Workspace...... EPM System products now comply with this standard.............. and how do I change them? .In a clustered Planning deployment..1......71 What are the meanings of the SSL-related settings in 11...x..... What can cause this issue? .68 In a deployment with a firewall between the Web application and services tier.................... On 32-bit platforms.. this format will be used to communicate certified platform matrixes.. and Workspace hangs...1....... why do users trying to launch Smart View from Planning receive this error message? "Your session is not valid........ This means that the applicable System Requirements sections have been removed from the Installation Start Here and are now available on OTN..1..67 Prior to the 11. The public-facing certification matrix for EPM System release 11.............1.............66 When using FDM...0 can either support 32-bit applications or it can support 64-bit applications....... FDM............. Specifically.
Where can I find the latest platform certification matrix for EPM system?
39
.. Please logon again"....68 When will EPM System support Windows 7 and Internet Explorer 8? .... Strategic Finance.... and Performance Management Architect all run on the same 64-bit Windows machine?
Microsoft Internet Information Server 6.1....x releases... imposes deployment restrictions on 32-bit and 64-bit applications.69 What are the minimal assemblies needed to install the Essbase Spreadsheet Add-in.... why is there a JRE conflict on my desktop? .............1....66 When I launch the Web Analysis applet.............x..... What could be the problem? ...

If multiple machines are used. Operating systems do not need to be the same between components. Specifically.1: Support for Oracle’s Hyperion Products in Virtualized Environments. OpenLDAP is the embedded Native Directory installed with Shared Services on all platforms.1. the OpenLDAP and Tomcat distributed by EPM System cannot be used for other purposes and other OpenLDAP and Tomcat instances not installed by EPM System Installer cannot be used by EPM System.
q q q q q
Web Server: Windows. UNIX Dimension Server: Windows only Excel file generator: Windows only
Each of the components can be installed on a separate machine of any supported operating system (using the “Choose Components Individually” installation option).
Can Performance Management Architect run on UNIX?
Can you split the components of Performance Management Architect between different machines? Performance Management Architect 11.1.Note: Financial Management and Performance Management Architect can co-exist on a 64-bit
machine. For all other third-party virtualization technologies.1. Article 588303.1. as follows.
What are the EPM System support policies for OpenLDAP and Tomcat?
OpenLDAP and Tomcat are provided with EPM System as “embedded components”. Other deployment scenarios of Tomcat or OpenLDAP are not supported. They are supported the same as all other EPM System software components. They are listed below with supported platforms. UNIX Data Synchronizer: Windows.
What is the policy for supporting EPM System deployed to virtual environments?
EPM System fully supports Oracle VM starting with release 11. Both are supported only in this capacity. Apache Tomcat is the embedded Java container that is automatically installed on all platforms.
40
Installation/Deployment
. x has 5 components. And FDM (32-bit) and Strategic Finance (32-bit) can co-exist on a separate 64bit or 32-bit machine. UNIX Batch Client: Windows. Similarly. it is important to make sure the machines and components can communicate with each other over the network. the support policy is documented in My Oracle Support.

When a problem has been previously reported and a resolution is available. Oracle will resume support. When the customer can demonstrate that the issue occurs when running on the native OS. Oracle support will recommend the appropriate solution on the non-virtualized OS. An analysis should be performed within the context of the specific application to be hosted in the virtual environment to mitigate potential resource contention. the customer will be referred to Citrix Microsoft for support.
q
While Oracle’s Hyperion products are expected to function properly in virtual environments. as this can result in degradation of performance and scalability. Oracle support will recommend the appropriate solution on the native OS. including logging a bug with Oracle Development for investigation if required. If the problem is determined not to be a known Oracle issue. Oracle will resume support. If that solution does not work in the virtual environment. including logging a bug with Oracle Development for investigation if required. however. or can be demonstrated not to be as a result of running on Citrix XenApp. Oracle Support may require the issue to be diagnosed in a non-virtualized environment when there is reason to believe that the virtual environment is a contributing factor. If the customer demonstrates that the Oracle solution does not work when running on a non-virtualized OS. Oracle will resume support. there may be performance implications. Oracle Support will assist customers running Oracle’s Hyperion products on third-party virtualized environments as follows:
q
When a customer logs a previously unreported issue.
What is the support policy on Citrix XenApp and what are the known issues?
41
. When the customer can demonstrate that the Oracle solution does not work when running on the native OS. which can invalidate Oracle’s typical sizing recommendations.
What is the support policy on Citrix XenApp and what are the known issues?
The official support policy for Citrix as published on My Oracle Support is: Oracle has not certified any of its products on Citrix XenApp (formerly Citrix MetaFrame Server and Citrix Presentation Server) virtualized environments. If a problem is a known Oracle issue. particularly under peak load. the customer will be referred to their virtualization software vendor for support. and use of Oracle products
in the RAC environment is not certified and not supported on Citrix XenApp. including logging a bug with Oracle Development for investigation if required.Oracle has not certified Hyperion products on third-party virtualized environments. Oracle Support will assist customers running Oracle products on Citrix XenApp in the following manner: Oracle will only provide support for issues that either are known to occur on the native OS. Oracle Support may refer customers to the third-part virtualization vendor for issues that cannot be duplicated in non-virtualized environments.
Note: Oracle has not certified any of its products on Citrix XenApp. we will refer the customer to Citrix for support. If that solution does not work in the Citrix XenApp virtualized environment.

1.
Does FDM 9.1.1. No service fixes or service packs are required.1.1.1.1 incorrectly stated that FDM did not support Oracle databases.x releases.1.3. Deploying Financial Management and Reporting and Analysis in a mixed environment of Windows and UNIX will result in unsatisfactory performance. The Certification Matrices for the 11.x and 11.1 correctly stated that FDM supports Oracle databases.3. This problem has been noted in the FDM Readme for 9. and 11g?
Yes.x and 11.3 releases have been updated to reflect this support and are reposted
42
Installation/Deployment
.2 and 11.1 support Oracle Database 9i.3. The System 9 Installation Start Here document for 9.3.3.1. UNIX platforms are not supported. as connection anomalies have been observed in this configuration. 10g. This is true for both the 9.
Does EPM System support Microsoft Active Directory (MSAD) 2008 as a User Directory?
Yes.x releases. When using Financial Management with Financial Reporting and Web Analysis. EPM System customers have successfully deployed the following client components in Citrix environments:
q q q q q q q q q
Financial Reporting Studio Interactive Reporting Studio Data Relationship Management client Essbase Excel Add-in Essbase Administration Services Console Essbase Integration Services Console HAL Financial Management FDM
Deploying EPM System server components in Citrix environments is not recommended. EPM System has recently certified MSAD 2008 as an external user directory for the 9.3.That said.1.
Are Reporting and Analysis deployment (Financial Reporting and Web Analysis) supported on UNIX when used with Financial Management deployments?
No.1 and is reposted to the System 9 documentation library on OTN to prevent further confusion. The FDM Installation Guide for 9.

See the Supported Platform Matrices page on OTN for details.1.
q
Which components of the system need to be 64-bit? In particular.
q
How does one migrate from 32-bit to 64-bit Financial Management? Will 64-bit Financial Management work with an application created under 32-bit Financial Management? The schema upgrade path from a previous release running 32-bit to a release running 64bit Financial Management is similar to an ordinary version upgrade. When upgrading Financial Management from a previous release. schema upgrade is not required when moving from 32-bit Financial Management 11. NOTE: To install the 64-bit version of Financial Management software. On the client side. Depending on the size of the application and its usage profile. does the relational database need to be 64-bit? The database can be either 32-bit or 64-bit as long as it is a supported type and version. This includes the AMD64 and Intel 64 (formerly EM64T) processors.1.x and 11.3.1.
Can I use Financial Management in a 64-bit Environment?
Below are some frequently asked questions about using Financial Management in a 64-bit environment:
q
What is 64-bit Financial Management? This is the 64-bit port of Financial Management.
Can I use Financial Management in a 64-bit Environment?
43
. this includes Windows 2003 and subsequent service packs.1.1. The Itanium processor (IA-64 architecture) is currently NOT supported. the extra memory can lead to significant speed improvements.1.
q
Which CPUs are supported? The x86-64 architecture is supported.
q
What are the benefits of 64-bit Financial Management? The main benefit of 64-bit Financial Management is the ability to hold substantially more data in memory at one time.1. the x86-64 versions of Windows XP and Vista are supported.1. See the EPM System Certification Matrix for supported database. you must select "New Installation" in EPM System Installer. The first version of 64-bit Financial Management is 11. the Installation Start Here for those releases has also been updated and reposted. For 9.x.1. while simultaneously reducing the load on the relational database. On the application server.to the Supported Platform Matrices page on OTN.x or newer). use the Schema Upgrade Utility to upgrade the database schema to support the new version of Financial Management (11.x or newer to a 64-bit version of the same release.
q
Which Operating Systems are supported? The x86-64 versions of Microsoft Windows are supported.1. It is functionally identical to 32-bit Financial Management and uses the same code base.

000. To take advantage of the extra memory in a 64-bit environment. then divide the Total physical Memory installed on the server by the number of Financial Management applications to arrive at the “Available Physical Memory” for each application. If multiple Financial Management applications will be active. compared to a maximum of 3 GB in 32-bit Windows. the implication is that.000
MaxDataCacheSizeinMB 500 1500 4500 9000
For a weekly application. Since the physical memory in almost any current computer is far smaller than 8 TB. where the total memory footprint of the application. even under load. Financial Management’s default memory settings are appropriate for a small to medium size application in a 32-bit environment. The following table contains suggested values for these parameters depending on available memory.000. This is done with the assumption that Financial Management is the only memory-intensive process running on the machine and running only a single Financial Management application. This includes applications with one or more of the following characteristics:
r r r r
Large scenarios (millions of records per year) Dense applications (many large subcubes) Large memory footprint as a result of many scenarios being accessed concurrently Weekly applications
q
What kind of applications will see the least benefit? Small applications.000 30. 64-bit Financial Management can take advantage of all available physical memory once the proper memory parameter adjustments are made (see below).
Available Physical Memory 4 GB 8 GB 16 GB 32 GB
NumDataRecordsinRAM 4.
44
Installation/Deployment
.
q
Are there any memory settings that need to be tuned for 64-bit Financial Management? Yes.000.000 10. The relevant registry settings are NumDataRecordsinRAM and MaxDataCacheSizeinMB which need to be created or changed in [HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions \Hyperion Financial Management\Server] on each application server’s Windows registry.000. we recommend the following settings for a monthly application.q
What are the memory limitations of 64-bit Financial Management? The limit of virtual address space is dictated by Microsoft Windows and is 8 TB (8192 GB). divide the NumDataRecordsinRAM by 4. 64bit Financial Management is limited by physical memory. rather than virtual memory. In other words. without changing the value in the last column. can fit comfortably in the 32-bit memory space. in practical terms.
q
What kind of applications will see the most benefit? Applications with large memory requirements will see the most benefit.000 60.

1.x releases did not support silent configuration.x releases?
Yes.1. Oracle recommends that you download installation files to a shared drive and install from that drive.1.x release supports both console mode and silent installation and configuration options. EPM System supports 32-bit as well as 64-bit versions of all supported datatabases. Instructions are provided in the Installation and Configuration Guide (Chapter 2. Also. Click the “Readme” button above the list of downloadable files.3 is now certified to run on Oracle RAC. The EPM System 11.
What is the best way to determine which zip files I need to download for an EPM System product installation from eDelivery?
The Media Pack Readme on eDelivery identifies. “Performing Silent Installations” and Chapter 3. “Performing Silent Configurations”).1. on a per-platform basis.Which versions of FDM support Oracle RAC?
FDM version 11.
Can I use the 64-bit version of the SQL Server database with the EPM System 11.1.
Which versions of FDM support Oracle RAC?
45
. the appropriate Media Pack page will be displayed.1. Media pack readmes have recently been updated to improve usability. the “required” and “optional” zip files necessary to deploy each product. refer to the “Preparing for Installation” chapter of the Installation and Configuration Guide for information about which zip files you need to download for each product. You will also need to refer to the EPM System Media Pack Readme on Oracle® E-Delivery.1. the EPM System 11.1.
Note: The 9.
Does EPM System support console mode and silent installations?
Yes.3 Certification Matrix has been updated and reposted to reflect this change. After selecting the platform and release number on the eDelivery Media Pack Search page.

11. Is it best practice to put all products in one database?
While it is possible to configure one database for all products.1. where hostnames entered in EPM System Configurator are not converted to their canonical names and stored. In prototype and development environments. you need to first configure Shared Services. for production systems it is recommended to put each product in its own database/schema.In EPM System Configurator. set the first line of the hosts file to resolve the VIP hostname (so that the VIP hostname is returned as the canonical hostname) before running EPM System Configurator. or 11.1. make sure it is running.1. where the canonical hostname for the VIP returned by the DNS is one of the physical hostnames under the VIP. You should be able to enter the VIP hostname during advanced setup during web application deployment. This provides flexibility in backup and recovery of the database for each individual product.1.1.45 vip-hostname
Why does configuration fail with the error message: “Register with Shared Services task failed”?
If you are deploying in a distributed environment. the database configuration panel allows all products’ schema to be put into one database.0.1. EPM System Configurator stores canonical hostnames. one database configuration is often satisfactory.23. see the “Configuring EPM System Products” chapter (“Configuration Sequence” section) in the Installation and Configuration Guide.1. For more information.1. This is known to cause issues. This issue has been addressed in the upcoming 11. and then perform the remaining configuration tasks in EPM System Configurator in any order. especially with VIPs.2 releases.3 release.
Why does EPM System Configurator sometimes change the server name I have entered?
This causes many issues when DNS-based load balancing is used.
46
Installation/Deployment
. Example entry in hosts file:
10.1. For the 11.1.

you should use the epmsys_registry(. It is best practice to make the installer available from a shared drive and then install from the shared drive. run EPM System Installer with:
installTool(.sh) view HOST
Copy the ID for the HOST component to be updated.sh) –record <silent_response_file>
To install using the silent installation file. More information can be found in the “Installing EPM System Products” chapter (“Performing Silent Installations” section) the Installation and Configuration Guide. To record a silent installation response file.
® To update the host value in Shared Services Registry:
1 2 3
Run:
epmsys_registry(.1.x installer supports installation from a shared drive. What is the best way to change the Shared Services Registry to reflect this change?
With release 11.1. start EPM System Installer from a command line with:
installTool(.
EPM System client installers are too large to copy to each client machine. Are there any tips for handling such large installation files for each client?
47
. You can download all the binaries once to a common shared location and install from that location. Run:
epmsys_registry(.
4
To ensure that the ID for the HOST component was updated.sh) to update the host value in the Shared Services Registry and restart all EPM System components on all machines. run:
epmsys_registry(. Are there any tips for handling such large installation files for each client?
The 11.sh) view #<ID>
The name of the host component will not be updated.sh) updateProperty #<ID>/@host <new hostname>
where <ID> is the ID copied in step 2.1.3 and higher.sh) –silent <silent_response_file>
where <silent_response_file> is the response file recorded earlier.
A hostname has changed.EPM System client installers are too large to copy to each client machine.1. You can also use the silent installation feature to install silently from a remote shared location. This also applies to server-side components. You can update the name using the process above.

To start the Interactive Reporting Service.5.sh
To stop the Interactive Reporting Service.
If an EPM System 11. Shared Services Registry is updated when you install and configure the component on the other host.0/bin/startAgent. EPM System Configurator sometimes disables (grays out) a configuration task that has not yet been completed.0.0.1. change the Admin server port back to 7001 and re-deploy.Follow this procedure only if the hostname is changed.0/bin/stopAgent. run:
<Hyperion_Home>/common/workspacert/9.sh file. you must use the same script that is used for EPM Workspace. then if the IP address changes but not the hostname.) Restarting all EPM System components on all machines should be sufficient.1. not an IP address.sh file and did not find any entry specific to Interactive Reporting.
48
Installation/Deployment
. To start or stop Interactive Reporting Service. How can I reset this flag and perform the configuration again?
If this problem occurs. (The welcome panel of the installer displays the hostname.
What is the Start | Stop command for the Interactive Reporting Service on Linux?
I have checked the start. no Shared Services Registry update is required. there is no specific entry for Interactive Reporting in the start. Correct. If you have moved a component from one host to another. submit an SR with details so that the core issue can be addressed in the software.sh
How can I deploy Web applications to WebLogic using EPM System Configurator when the WebLogic Admin server is running on a non-7001 port?
EPM System does not support deploying Web applications via EPM System Configurator when the Admin server port for WebLogic has been changed to a non-default port. To deploy using EPM System Configurator.x installation aborts.5. Assuming that installation and configuration were done using the hostname (not IP address). run:
<Hyperion_Home>/common/workspacert/9.

xml file for the product that you want to re-enable the task for.5. This file is in:
<HYPERION_HOME>/common/config/9.
This section lists the various configuration tasks and indicates whether they have been executed (according to EPM System Configurator). they are marked as Configured. How can I reset this flag and perform the configuration again?
49
.0. the file for Reporting and Analysis (biplus) is shown below:
2
Open the file and search for taskConfiguration.
4
Save and close the file. EPM System Configurator sometimes disables (grays out) a configuration task that has not yet been completed.0/product/<product code>
In the screen shot below.x installation aborts.1. follow the steps below to re-enable the task in EPM
System Configurator:
1
Edit the *_config.
3
Change the value Configured to Pending for the tasks that you want to re-enable.® To temporarily work around the issue.1. and re-run EPM System Configurator.
If an EPM System 11. if so.

How do I deploy additional instances of Financial Reporting Print Servers?
To install only the Print Server component on a machine.233 virtual_hostname
EPM System stores only the hostname.148. What can I do?
The issue is related to the ECHO service not running on the host (or the physical server the hostname resolves to). After configuration. You do not need to edit any other files. Then run EPM System Configurator. Select the Print Server component to install.
50
Installation/Deployment
. select “Choose components individually”.When doing Advanced setup during Web application deployment in EPM System Configurator. <windows>/system32/ drivers/etc/hosts on Windows) before starting configuration. The workaround is to update your hosts file (/etc/hosts on UNIX. remove the line from your hosts file. Java uses this service to validate the reachability of a given host and responds negatively if it does not get a response back. I enter a valid host that I can ping but receive an error “Hostname is not valid or is not reachable”. for example:
10. This problem can happen specifically with hardware load balancers where virtual IPs are created.177. from EPM System Installer. Add a line for your host pointing to an IP that has the service running. not IP addresses.

and restart EPM Workspace to obtain full availability of the applications. The published documentation for releases 11. Restart the Workspace Web application.1. Products that are offline at the time EPM Workspace starts up may not have full menus available. why can’t EPM Workspace find it?
51
. If you change the port or server name of a web application:
q q
Use EPM System Configurator to reconfigure the Web server.1. it reads from the Shared Services Registry to determine which products are configured. why can’t EPM Workspace find it?
EPM Workspace caches product information at startup time.3 have been updated and reposted to the EPM System documentation library on OTN.
Note: The order of starting components as documented in the Installation and Configuration
Guide used to mention starting the EPM Workspace Web application earlier. Start these applications.1.2 and 11.When I change the port or server name of a Web application.
When I change the port or server name of a Web application. This information is refreshed only with a restart.1.

2. Shared Services does not support reverse proxy. such as the mail server settings. How do I make the changes permanent?
As of release 11.1. EPM System Configurator can be run again. You should restart all services and Web applications to make sure the new settings are used. you must update the Shared Services Registry with the correct server name. This content is already proxied through the Web server provided with EPM System. see “Updating Shared Services Registry Data” in the “Working with Lifecycle Management and Shared Services Console” chapter of the Lifecycle Management Guide. to change different settings.related notifications)?
Yes.
52
Installation/Deployment
. You can edit Shared Services Registry data from Shared Services Console: For instructions. To make the changes permanent. and protocol information in the registered instance file for each application is updated upon restart of Shared Services.1. After I restart Shared Services.x support reverse proxy in the Web tier?
All content that is launched in EPM Workspace can be routed through a reverse proxy. post-configuration.1. based on the information for the product in the Shared Services Registry. port. and protocol.
I updated the instance files in Shared Services with the correct server name. For Essbase Server. These values are saved in the Shared Services Registry. it reverted back to the original information. the server name.Can I run EPM System Configurator after configuration is completed to set the Admin Mail Server settings (for job.1. You can run EPM System Configurator from any configured machine and set the mail server settings. and protocol. use MaxL and run the alter system set eas_loc command to update this information in the Shared Services Registry. Once corrected in the Shared Services Registry.
Does EPM 11. restart Shared Services to update the instance file content. which can be accessed by all other machines in the deployment. port number. port number.

0. see “Setting Up Microsoft SQL Server Windows Authentication” in the “Configuring EPM System Products” chapter of the Installation and Configuration Guide.5.
I am trying to use Windows Integrated Authentication to connect to the EPM database? Is this supported?
Windows Integrated Authentication is supported for the SQL Server database only.) It will show that the correct port is configured.
Do not select any other options inside “Hyperion Foundation” and “Workspace” – they should be in the “Configured” state. but.0/regedit.0/epmsys_registry to generate the registry.0.5.0/product/workspace/9.html file. (Note: in releases prior to 11. You can verify that the correct port is configured by reviewing the Shared Services Registry report.1.5. Run <Hyperion_Home>/common/config/9. This will re-register Reporting and Analysis to Shared Services. However. run <Hyperion_Home>/common/ config/9.
How do I re-register Reporting and Analysis if I accidentally deleted its registration information from Shared Services?
53
.5. I have configured IIS to run on port 1801. For instructions to set this up.1. How can I update this port?
The value displayed in EPM System Configurator during Web server configuration is incorrect.How do I re-register Reporting and Analysis if I accidentally deleted its registration information from Shared Services?
® To re-register Reporting and Analysis:
1
Open the following file:
<Hyperion_Home>/common/config/9.3.
The default port for IIS is port 80. but the value that is actually used during the configuration is the correct port value.
Select these two components and then run the configuration.0/workspace _1_config.0.xml
2
Replace “Configured” with “Pending” in this part of the file:
<property name="shortcutFolderName">Oracle EPM System/Workspace</property> <property name="state">Pending</property> <bean name="taskConfiguration"> <property name="hubRegistration">Configured</property>
3 4
Launch EPM System Configurator.
Both the “Hyperion Foundation” and “Workspace” components are in the “Pending” state.0. EPM System Configurator displays the port as 80 during Web server configuration.

expand the Planning node and select Manage Planning Clusters and click Next.
® After all standard configuration tasks are run and completed successfully. you need to set up clusters using the “Manage Planning Clusters” task in EPM System Confgurator. we cannot set up the cluster host and port via the Advanced Setup during Web application deployment in EPM System Configurator. follow this
procedure:
1
On the task panel in EPM System Configurator.For Planning.
54
Installation/Deployment
. How do I set this up?
For Planning.

we cannot set up the cluster host and port via the Advanced Setup during Web application deployment in EPM System Configurator.2
Select Edit Cluster and click Next. How do I set this up?
55
.
For Planning.

3
Select Default for Cluster Name and click Next.
4
Enter the host name and port number for the Planning cluster (the host name and port number that should be used to connect to the cluster of Planning Web applications). Make sure that Activate as Active Cluster is selected.
56
Installation/Deployment
.

I do not want EPM System Configurator to create or add tables to the database schema.1.1.
The Planning clusters are now created.x releases. Also. for Shared Services release 9. as this is standard Oracle deployment methodology.
Is it possible to install two different versions of EPM System on Windows operating system?
EPM System supports only a single version of a product on Windows OS. EPM System supports only one instance of product on a machine due to the same reasons. and the configuration will be complete. the Shared Services SQL scripts to be executed are in this location:
HYPERION_HOME/products/SharedServices9/server/conf
Look for these scripts based on the database (the following is for Oracle database):
create_oracle_cms. Is there a way to run SQL scripts against the database instead of using EPM System Configurator?
EPM System does not provide SQL scripts that can be run independently to set up the database. and provide the database schema information from the above step.sql create_oracle_scheduler.1. For 9.sql create_oracle_workflow. Hyperion Configuration Utility will prompt you to re-use the existing database.3. run the Hyperion Configuration Utility and select the database configuration and web application deployment tasks.
Is it possible to install two different versions of EPM System on Windows operating system?
57
. This functionality will be supported in a future EPM System release. This is not supported for the 11. Financial Management. This is due to limitations in underlying technologies used by the Windows-only products and the use of Windows Registry (for example. and FDM).5
Click Next to execute the task.1.sql
After running these scripts against a database. with the exception of Essbase. Strategic Finance.
Is there a way to deploy the Shared Services database schema without using EPM System Configurator?
Yes.3.

1. if you view the installTool-install.
My OS vendor offers a more recent service pack than the one specified in the EPM System Supported Platforms Matrices. Therefore when vendors assert backward compatibility. A second reason for slowness at the end of installation. is that the last step of the installer copies the Help files related to uninstalling down to the machine.3. Are recent service packs supported?
The version specified in the EPM System Supported Platforms Matrices is the minimum supported baseline.1.impl. Oracle acknowledges and supports the backward compatibility assertions for platform software as provided by its vendor.OUIExecAction. subsequent service packs may be used. this process is just very slow. up to 1 hour on some machines. In some VM environments.Why does EPM System Installer hang at 99% as it attempts to create the Oracle Inventory?
When this issue occurs and EPM System Installer stops at 99% complete. on some machines. This reduces the duration of the process.3 client tools from a network drive supported?
Yes. In release 11. we have seen this behavior. Many customers use this technique to avoid copying large installation files to each client. the inventory creation process may have ended already but the message still shows in the installer while the help files are being copied.log file (in HYPERION_HOME/logs/install).2 and 11.1.3 releases. this is fully supported.
58
Installation/Deployment
.1. and that occurs with the 11.1.
Is installing EPM System 11. INFO.1. the messages are clearly distinguished between creating inventory and copying Help files. the last message is:
com.1. copy the installation files into the VM image itself (do not map to the physical drive on the non-VM). for example. If installing on a VM image.hyperion. this process can be slow. Creating Oracle inventory
In many cases.action. In fact.install.1.

if the old software is removed from the machine already. read the information about the . simply rename the file and you can restore it later.1. Rename this file so that the Uninstaller won’t detect the previously installed software.” In this case.x releases of EPM System.1.
Why is EPM System Configurator having issues with resolving some hostnames. does it write to this directory?
No.properties file located in <HomeDrive>/windows (Windows) or $HOME (UNIX).domain_s9"?
According to the DNS RFC 3696. When the information exists in these folders. and you don't need to uninstall this software during upgrade (or later after upgrading).x maintenance installations. detection comes from reading-tracking information in a vpd.1. nor is blank space. If you don't need to uninstall old software. If the software is still installed and you want to avoid this recognition issue.1. EPM System Uninstaller recognizes software from older releases for a Maintenance install. the file can be deleted. EPM System Uninstaller still detects installed products. If the old software is removed from the machine already. I am running the installation software from a mapped drive. it does not write back to the folder containing EPM System Installer. remove the vpd.After uninstalling EPM System products. When this file exists. detection comes from tracking information stored in a binary format in folders found in <HomeDrive>/Program Files/Common Files/ InstallShield/Universal (Windows) or $Home/InstallShield/Universal (UNIX). The memory of previous products being installed comes from one of three places:
q
If 11. does it write to this directory?
59
. Two options are available. then remove the /common folder.properties file. Instead.
After uninstalling EPM System products.oracle. Otherwise.products exists in Documents and Settings/<user> (Windows) or $HOME (UNIX).oracle. EPM System Uninstaller still detects installed products. EPM System Uninstaller does not detect that software was previously installed. “(words or strings separated by periods) that make up a domain name must consist of only the ASCII [ASCII] alphabetic and numeric characters.1. plus the hyphen. If the software is still installed.1. EPM System Uninstaller recognizes software from older releases for upgrade. a file called . in case you want to uninstall your software. No other symbols or punctuation characters are permitted. Also for 11. such as: "server-1. I am running the installation software from a mapped drive. If this file is removed or renamed.products file referenced in the first bullet above. the underscore character “_” is causing the issue. remove the /common folder under the /Universal folder.x was previously installed. leave the file alone for 11.
q
q
From older releases of EPM System.

In order to extend these capabilities.bea file in a safe place outside your BEA software and application installation directories. Windows: set PATH=BEA_HOME\JDK\bin. in the target BEA Home directory. UNIX. such as to the number of
production CPUs.Why does the license for WebLogic Server bundled with EPM System on eDelivery impose usage restrictions?
Or.
2
Perform the step appropriate for your platform:
q q
Windows: Open a command window and go to the target BEA Home directory. administrators must further activate the bundled WebLogic Server. greater than what you licensed for such use.
5
Save a copy of your updated license. Although no one else can use your license file. Users. as detailed in the BEAProducts Installation Guide:
1
Save the license update file. save the file as new_license. Users. All license terms and restrictions specified in your Agreement and ordering documents / order forms remain in full force and effect.oracle. the server license allows connections from only 5 unique IP addresses"
The WebLogic Server release 9. go to the target BEA Home directory. it does not authorize you to deploy BEA software for production use on the number of CPUs. that may be executed on simultaneously. For example.sh license_update_file
Where license_update_file represents the name to which you saved the license update file in step 1. Use this file as the license_update_file in step 4 of this procedure.bea. you should save a copy of it in a place that is protected from both malicious and innocent tampering.bea file. etc.bea. with a name other than license. download a new license update file from the Oracle BEA License keys Page: http://licensecodes. To do so.zip
Note: NOTE: While keys may remove technical restrictions.
60
Installation/Deployment
. add the JDK to your PATH variable by entering the following commands:
q q
4
Merge the license update file into your existing license by entering one of the following commands:
q q
Windows: UpdateLicense license_update_file UNIX: sh UpdateLicense.
® Then follow these instructions. why am I getting this error?
"[Server:002621]Connection rejected. etc.
WARNING: Do not overwrite or change the name of the existing license.com/downloads/LIC-WLSA92.%PATH% UNIX: PATH=BEA_HOME/JDK/bin:$PATH
export PATH
3
If it is not already included.2 MP3 bundled with EPM System contains a license file for limited-use evaluation.

xml
q
Locate the hub element.” How do I redeploy the Web applications using EPM System Configurator?
61
.x release?
® Follow these steps to move OpenLDAP to a different machine:
1 2 3 4 5 6 7
Install Shared Services on the machine to which you want to move OpenLDAP. At a command line.cmd|sh. Make sure the OpenLDAP service on the target machine is not running.” How do I redeploy the Web applications using EPM System Configurator?
® To redeploy Web applications:
1 2 3 4
Make sure that the WebLogic Admin Server is up and running.log: “ERROR. go to:
<HYPERION_HOME>/deployments/WebLogic9
Start the Admin Server using startWebLogic. see “Changing the Application Server Administrator Password” in the “Guidelines for Securing EPM System” chapter in the 11. You do not need to configure Shared Services. Admin server does not start.xml file with the new OpenLDAP hostname:
q
Open this file:
<Hyperion_Home>/deployments/<AppServer>/SharedServices9/config/CSS. remove all the files in this directory:
<Hyperion_Home>/SharedServices/9. use EPM System Configurator to re-deploy the Web applications.
I have changed the WebLogic Admin username and password.
I need to move OpenLDAP to another machine. Stop Shared Services (including OpenLDAP) on the source machine. Copy all the files in the …/openldap-data directory on the source machine to the corresponding directory on the target machine.3. After the Admin Server is running. Deployment failed. and now I see the following error in configtool_err.x/openLDAP/var/openldap-data
Stop all System 9 products.I have changed the WebLogic Admin username and password.3.x Security Administration Guide.log: “ERROR. What are the steps needed to do this for the 9. Deployment failed. Admin server does not start.1. Update the CSS. On the target machine.1.
For more information. and now I see the following error in configtool_err.

i.oracle. On the target machine.Domain. j.
8 9
Restart Shared Services (including the OpenLDAP) on the target machine. Select CSSConfig. Expand the Shared Services node. replace MachineName. d. Expand the Shared Services Registry node.x release?
® Follow these steps to move OpenLDAP to another machine:
1 2 3
Install Shared Services on the target machine where you want to move OpenLDAP. c. Shut it down if it is running. Open the file from the file system using a text editor. h.
How do I move OpenLDAP to another machine in the EPM System 11. and locate the hub element. b. Save this file to a location in the local file system.q
Replace the hostname (in the location attribute’s value) with the name of the machine where the new OpenLDAP is installed. Expand the Application Groups node. Right-click and select Export for Edit. e. replace machine. and then expand the Foundation node. Restart all System9 products.com:58080">
q
Save the changes. Select Deployment Metadata. For example. Replace the hostname (in the location attribute’s value) with the name of the machine where the new OpenLDAP is installed. then the Foundation Services node. For example.xml file in the Shared Services Registry with the new OpenLDAP host name:
a. remove this directory:
q
Windows: <Hyperion_Home>/products/Foundation/openLDAP/var /
openldap-data
q
UNIX: <HYPERION_HOME>/products/Foundation/openLDAP/usr/local/var/
openldap-data
4
On the source machine (the machine where OpenLDAP is currently).com in the following with the target OpenLDAP machine name:
<hub location="http://machine.1.com:28080">
62
Installation/Deployment
. Make sure you can see the Native User Directory in the Shared Services Console.oracle. f.com in the following hub element with the new OpenLDAP machine name: <hub location="http://
MachineName. You do not need to configure Shared Services on the target machine.1.Domain. g. update the CSS. Login to Shared Services Console as the “admin” user. Make sure OpenLDAP is not running on the target machine.

b. Right-click and select Export for Edit. n.
5
Update the Native Provider’s hostname in the Shared Services Registry on the source machine with the new OpenLDAP hostname:
a.Domain. b. For example. Open the file using a text editor and locate the host property.sh 2>/dev/null &"
How do I move OpenLDAP to another machine in the EPM System 11. Replace the existing hostname with the name of the machine where the new OpenLDAP is installed. comment out this line: in
"HYPERION_HOME/products/Foundation/openLDAP/startOpenLDAP. l.Domain. Repeat step a through c. Right-click and select Import after Edit and then provide the saved file and import it. i. Stop Shared Services (including OpenLDAP) on the source machine. select CSSConfig. Start OpenLDAP on the target machine. Save the file. Repeat steps a through g.bat"
in
HYPERION_HOME\deployments\Appserver\bin\setCustomParams\SharedServices9. On UNIX. Copy all the files in …/openldap-data directory from the existing OpenLDAP to the corresponding directory of new OpenLDAP. c. Right-click and select Import after Edit and provide the saved file and import it. Comment out the OpenLDAP start command from the Shared Services startup script.com g.
6 7 8 9
Stop all EPM System products. d. h.x release?
63
. Disable the OpenLDAP service. From the Shared Services Console. Select Properties.1.cmd
c. and check the exported file to make sure the change has taken effect. m. replace MachineName.com in the following host property with the new OpenLDAP machine name: host= MachineName. j.
10 Disable OpenLDAP on the source machine:
a. Expand the Native Provider@ExistingOpenLDAPHostname node under the Shared Services node. e. f. select Properties.1. and check the exported file to make sure the change has taken effect.k. comment out this line:
"HYPERION_HOME\products\Foundation\OpenLDAP\startService. Save the file. From the Shared Services Console. if it is a Windows machine. Save this file to a location in the local file system.

Are SSL accelerator devices supported?
No.1. the supported configuration is to use one Shared Services to manage one environment only.so to Apache by copying it to the Apache\modules directory.x releases.
® To secure the Apache instance shipped with EPM System:
1 2
On Windows systems.59\modules
64
Installation/Deployment
. add mod_ssl.1. Once downloaded.1.in
HYPERION_HOME/deployments/Appserver/bin/setCustomParamsSharedServices9.
Can I secure the Apache instance shipped with EPM System using SSL?
The version of Apache supplied with EPM System does not include SSL support.
Is SSL connection to the database supported in EPM System?
No.
Can I use one instance of Shared Services to manage security for two environments (for example. followed by all EPM System products. but there was nothing in the software to stop one environment from sharing a common Shared Services. for example:
%HYPERION_HOME%\common\httpServers\Apache\2. mod_ssl is an Apache module that provides SSL v2/v3 and TLS v1 support. using one Shared Services per environment was considered best practice and was highly recommended. Shared Services itself needs to be migrated like other products from one environment to another using Lifecycle Management (LCM). download and install pre-built versions of OpenSSL and mod_ssl. Support for SSL off-loading is planned for a future release.0. one Shared Services to manage security for both Dev and Test environments)?
Starting with the 11. In the 9.x release.sh
11 Start Shared Services.x releases. this is not currently supported but is planned for a future release. but it can be added manually using mod_ssl. and uses OpenSSL as its cryptography engine. SSL accelerators (also known as SSL off-loaders) are not currently supported in the System 9 or 11.1.

/apachectl startssl
Check the following log for successful load of mod_ssl:
/path/to/hyperion/common/httpServers/Apache/2.59/modules
5 6 7 8
Configure Apache’s ssl. but are similar to those shown.0. for example:
$ cd /path/to/hyperion/common/httpServers/Apache/2.Tip: Pre-built versions of OpenSSL are provided free by various sources. The win32 binary for mod_ssl can be extracted from the appropriate 2./configure --with-mpm=worker --enable-mods-shared=most \ --enable-ssl --enable-proxy --enable-proxy-connect \ --enable-proxy-http --enable-proxy-balancer $ make
4
Copy the mod_ssl.
® What follows are example commands for obtaining and building mod_ssl on Linux.org/ dist/httpd/binaries/win32/.0.59/logs/error_log
For example:
Apache/2./getHyslHome.bz2
3
Run the configure script with appropriate options to include SSL support.apache.0.61.tar.apache.so \ /path/to/hyperion/common/httpServers/Apache/2. mod_ssl can be built from source. .conf with your keystore and signed certificate information. including but not limited to http://www.59/bin $ .0.0.com/products/Win32OpenSSL.61.61 $ .bz2 tar jxf httpd-2.0.61 Server built: July 24 2008 13:59:30
2
Obtain and unpack the correct version of the Apache source code from http://archive.
$ $ $ $ mkdir -p ~/src/apache cd ~/src/apache wget http://archive.sh $ .0.apache.
1
Determine the version of Apache supplied by EPM System:
$ cd /path/to/hyperion/common/httpServers/Apache/2.so binary to the Apache/modules directory:
$ cp ~/src/apache/httpd-2.org/.8e-fips-rhel5 DAV/2 configured -resuming normal operations
The Apache bundled with EPM System is now configured to accept SSL requests.0. ./httpd -v Server version: Apache/2. and GNU make are required).61/modules/ssl/.9.x release at http://archive.61 (Unix) mod_ssl/2.slproweb. On UNIX/Linux systems.tar.59/bin $ ./envvars $ .
$ cd ~/src/apache/httpd-2.org/dist/httpd/httpd-2. Steps
for other UNIX variants vary. OpenSSL.0.libs/mod_ssl. Start Apache using the “startssl” argument.
Can I secure the Apache instance shipped with EPM System using SSL?
65
.html.61 OpenSSL/0. then build the software (GCC.0.0.0.

oracle.5.1.conf file that routes requests to /HyperionPlanning/SmartView to only one of the Planning servers as shown below:
<LocationMatch/HyperionPlanning/SmartView> SetHandler weblogic-handler PathTrim / WLCookieName HPSESSIONID WeblogicCluster myhost.(example CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA instead of CAFEEFAC-0015-0000-0017ABCDEFFEDCBA).properties file.2.html.
This issue is also seen when users attempt to connect to Planning directly from Smart View.1. this is set through the CMC console:
66
Installation/Deployment
. Please logon again". The solution is to configure the deployment so that it always uses a specific Planning web application for Provider Services communication. In EPM System (11. they are prompted with the Login dialog box.4.Does EPM System support wildcard SSL certificates?
EPM System release 11.x does not support wildcard SSL certificates.1. In System 9.<IPaddress> failed hostname verification check. <hostname> but check expected <hostname>
In a clustered Planning deployment. this error is returned:
"Please check if the Server / URL you provided is correct and if the server is up and running”.1. Provider Services can only work with a single instance of Planning. the clsid CAFEE parameter is set in the WebAnalysis.x) by setting the clsid CAFEE parameter to a –FFFF. You can configure this from WebLogic by adding a new LocationMatch tag at the end of the HYSL-Weblogic. 1. 1. For more information.sun.
The behavior occurs because Smart View integration with Planning through Provider Services does not support a clustered Planning deployment. Certificate contained @ *.com/javase/6/webnotes/familyclsid. after re-entering the credentials.x. see http://java. you can force the applet to use a specific JRE family (for example.com:8300 </LocationMatch>
When I launch the Web Analysis applet. why do users trying to launch Smart View from Planning receive this error message? "Your session is not valid. You may receive the following error message in SmartView when a wildcard certificate is used:
@ [Security:090504]Certificate chain received from <hostname> .x). why is there a JRE conflict on my desktop?
When multiple JREs are installed on a client. but there are some known limitations with Analytic Provider Services with wildcard certificates. Most components work correctly with wildcard certificates.

I receive the error “ActiveX component can't create object”. journals. templates. What can cause this issue?
67
.Changing the clsid parameter allows the user to run Web Application applet on newer versions of JRE. I receive the error “ActiveX component can't create object”.
When using FDM.
When using FDM. and exporting grids. Excel is required by FDM server for many of the functions including schema update. What can cause this issue?
This error may occur because Microsoft Excel is not installed on the FDM Web Application Tier. multi-load.

1. and how do I change them?
In 11. random ports are opened between the EPM Workspace Web application and the Agent.Prior to the 11. A screen shot of the CMC setting is shown below:
68
Installation/Deployment
.1.conf file under workspace/ web-inf/conf) was used to enable or disable custom or external authentication.conf file properties there.
In a deployment with a firewall between the Web application and services tier. and select Properties.1. and Workspace hangs.x. but the firewall prevents those connections.x releases. What could be the problem?
There are various reasons why a user may not be able to log in to EPM Workspace. you need to configure the setting “Pass Data Using Steams instead of Files” to “No” for the EPM Workspace Web application in the Reporting and Analysis Configuration and Monitoring Console (CMC).1. right-click the EPM Workspace Web application. You can update them using the Reporting and Analysis Configuration and Monitoring Console (CMC).1. a user cannot log in to EPM Workspace. the parameters from the ws. In this case. From CMC. Where are these settings in 11. the local service configurator (or the ws.conf file are now stored in the Shared Services Registry database. For detailed instructions. see the “Configuring Services Using CMC” chapter in the EPM Workspace Administrator’s Guide. If streams are used.x. One reason occurs when there is a firewall between the EPM Workspace Web application and the Workspace Agent. You will see all the parameters that used to be in the ws.1.

OR FUNCTIONALITY. AND MAY NOT BE INCORPORATED INTO ANY CONTRACT.
When will EPM System support Windows 7 and Internet Explorer 8?
THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. see the “Workspace Web Application Properties” section of the “Configuring Services Using CMC” chapter of the EPM Workspace Administrator's Guide. For more information. the proxy code for retrieving files from the Repository service fails because of the restrictions on ports. which then only uses the static Repository port for metadata. RELEASE. This happens because the file retrieval uses a separate port from the Repository service's static port so that it does not affect performance. the code relies on the host machine of the Web application to allocate any open socket port and retrieve files. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL. THE DEVELOPMENT. AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. By default.
When will EPM System support Windows 7 and Internet Explorer 8?
69
.Cause: When the EPM Workspace Web application is behind a firewall. AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE. CODE. IT IS INTENDED FOR INFORMATION PURPOSES ONLY.

which is a Patch Set for release 9.3. With all clients.3.1. the following assemblies are needed. Interactive Reporting Studio.
What are the minimal assemblies needed to install the Essbase Spreadsheet Add-in. and Financial Reporting Studio clients?
For 11.5.3. which is a Patch Set for release 11.2 Release 9.1.3 and 9.3.4.1.1.1 Release 11.1.1.1.
q
The assemblies required for Essbase Spreadsheet Add-in installation are:
r r r
commonComponents essbase_client essbaseAddins commonComponents biplus_interactive_reporting_client essbaseProductCommonComponents configlibs commonComponents productCommonComponents essbaseProductCommonComponents biplus_financial_reporting_client biplus_configlibs biplus_financial_reporting_common hfm_client (required for FR use with HFM) hfm_common (required for HFM components)
q
The assemblies required for Interactive Reporting Studio installation are:
r r r
q
The assemblies required for Financial Reporting Studio are:
r r r r r r r r r
70
Installation/Deployment
.1.3
Existing customers on releases 11.Support for these platform components is planned with the following releases:
q q q
Release 11. the EPM System Installer is also required.1.1 will be able to get support by applying the specified patch set and no major upgrade is required for these customers. Availability for these releases is planned within calendar year 2010.1.

1..
What are the meanings of the SSL-related settings in 11.x EPM System Configurator?
The following sections describe the meanings of the SSL-related settings in EPM System Configurator:
q
Common settings: The Enable SSL for Web applications setting is used to indicate that communications to Web applications are to be made in SSL.
Are there any recommendations with regards to anti-virus settings for EPM System?
71
.g. Shared Services).Are there any recommendations with regards to antivirus settings for EPM System?
The scanning executed by anti-virus software can be a source of performance issues with EPM System products.1. Each time a user accesses any resource on the server. The recommendation is for the HYPERION_HOME directory to be excluded from anti-virus software scans and only scanned on a scheduled basis. EPM System provides some guidelines and pointers to application server documentation in the SSL Configuration Guide. Note that EPM System Configurator does not configure SSL communications – these have to be done following the application server documentation. anti-virus software will try to open the object and scan it. This includes internal communication between Web applications as well as communication from the browser that are made directly to the Web application (e.

Depending on the SSL flag from the common settings panel. you enter the SSL port for the LWA (VIP/Load balancer) in the Advanced Setup dialog.q
Web application deployment: The SSL ports for the Web application are set on the Application Server Deployment panel. This is used to generate the URL for inter-product communication. Logical address for Web applications: If the LWA is SSL enabled. The Web application server listen port is configured. This SSL port is used in configuring the Web server to talk to Web applications when the SSL flag is set in the Web server planning. the URL generated is either HTTP or HTTPS. but you still need to follow the application sever documentation to enable SSL communication.
72
Installation/Deployment
.

2. This flag indicates to EPM System that the Web server is SSL-enabled.
What are the meanings of the SSL-related settings in 11.1.1. In the next major release (11. the browser communication to the Web server should be in HTTPS.0).q
Web server deployment: This flag also configures the plugin configuration to the application servers in the Web server with HTTPS.x EPM System Configurator?
73
. This flag is used by some products to build the URL to send back to the browser. Therefore. this flag will not be there and Web server to application server communication configuration will use the SSL flag from the common settings panel.1.

74
Installation/Deployment
.

......................................................83 Why does Workspace hang when an MSAD/LDAP user logs in?........... even though groups exist under the group URL?. How can I avoid this?...83 I don’t use LDAP/MSAD groups............................................. what is the best way to get EPM System’s user identities migrated to the new directory?............................................... Is there a limitation on the number of groups that can be exported? ........ when I export groups using the Import/Export Utility......................................................... However........85 Does EPM System support LDAP/MSAD dynamic groups?..... or ibmentryid)..................................................................................................................87 Why does the Shared Services OpenLDAP service sometimes get removed after an upgrade? .......................................................................................................................83 How do I limit or filter the external users that are available in Shared Services? .85 Why can’t LDAP/MSAD users log in to a product even though they are given proper security roles? ....................... only 5..................87 Can I override the default authentication mechanism used in EPM System with a customer’s own authentication mechanism? ....................................................... orclguid................................87 After changing the identity attribute from DN to ObjectGUID (or nsuniqueid...............................................81 Does Shared Services support the asterisk character (*) in user names?............................................................81 How do I change the default location of the Shared Services security log file (SharedServices_Security_client.......88
75
.....................................86 Why does the OpenLDAP service fail to start with error code 19? ................................4
In This Chapter
User and System Security
I have more than 5......................................... GUID........................86 What is HRAM and what is it used for?...........86 How do I create/modify/delete Native Directory users and groups in bulk or provision/deprovision users and groups en masse? .......................................................................................................................................88 Are the Shared Services Native Directory user IDs and passwords stored in the OpenLDAP directory or in the Shared Services repository?.....81 Can I provision users with identical Common Names (CN) but with different sAMAccountName & Distinguished Name (DN) in MSAD?.......................... I restarted Shared Services but the identities in Native Directory didn’t migrate.80 Why does the Essbase security refresh (bulk sync) fail intermittently?................................................................................... but Shared Services seems to access groups information from LDAP/ MSAD........................................................88 When moving from one user directory to another.........................log) to a location other than the temp folder? ...000 groups are exported..............................................77 Why does a search for groups return no records from Microsoft Active Directory (MSAD)...............................000 Native Directory groups in Shared Services.........83 Why does a search for users/groups in Shared Services Console return the error message “Provider Not Reachable”?..84 How can I improve user login performance when several directories exist in the user directory search order? ......................................... How do I force Shared Services to change these identities? ..................

................................................................... 102 Which connection protocols and security mechanisms can be used for the EPM System connection with corporate directories?..96 How many characters can an EPM System username contain?.1....................................................98 How do I limit the amount of logging done by OpenLDAP? ....................................................92 How do I add new user directories or change user directory configuration in the 11....................x and 9....................................... 104 How do I enable the CSS Custom authentication module with Reporting and Analysis..........90 What are the best practices for using Native Directory users and groups in Shared Services? .................................. 102 Which encryption mechanism does EPM System use? ............................................ How can I run OpenLDAP on a non-default port for the 11...................................................................................92 Why can’t an Active Directory user login to EPM System products................................................................................. 100 How can I audit security activities.................................. such as “applications a user has accessed” or “date of last login attempt”? .............99 I have imported some provisioning data into OpenLDAP incorrectly...................................................... 104
76
User and System Security
......................x?................. Provisioning information for this user has been lost and the use cannot log in to EPM System products.............1.................................................................................................What are the best practices for migrating users and groups from one environment to another? .......................................................................... even though the user is provisioned with proper roles and entered valid credentials? ............................ 103 What is the scope of Kerberos support for EPM System?........................................xml file that I could update in previous releases? ....... 103 How do I change the security agent header used for SSO with Workspace 11......................... Can I use this OID as the EPM System Native Directory in the 11..................................1 releases? .....x releases?......................................................... 102 What is the connection protocol between Essbase Server and EPM System products? .97 What is the best practice on setting up security in terms of using Native Directory groups versus corporate directory groups in MSAD or LDAP? ...................................1........................98 Why are users or groups that have been deleted from MSAD or LDAP still visible in Shared Services Console?.................................................................1.....................96 I want to run OpenLDAP on a non-default port............................................................................................88 How do I configure Shared Services to use Oracle Internet Directory (OID) as an external directory? ..................95 I already have an OID deployment... 102 What is the CSS Custom Authentication Module?................................................90 I have lost the Shared Services “Admin” user password.............1..................... if it is not picked up in the CLASSPATH?........................1.............................................................................1....................................96 How do I change the location where data files are stored by OpenLDAP? .............................. How do I reset it?..........................3.. Is there a way to bring OpenLDAP to its initial state but not lose all the application registration information in the database?........................... 102 Can I change or regenerate the security SSO token encryption key? ........ How do I fix this?..x releases? Where is the CSS.......1.96 A Microsoft Active Directory (MSAD) user has moved from one OU to another in the MSAD directory........99 What is the query that Shared Services sends to Microsoft Active Directory (MSAD) when I click on "Search Users" in Shared Services Console? ............................ 101 How is the communication between Essbase Client and Server encrypted?...91 Why is a search for all users in Shared Services within Oracle Internet Directory (OID) slow? ....................................... but I cannot update the port on the user directories management page in Shared Services Console................................89 How do I specify a setting to lock out a user after a number of unsuccessful login attempts to EPM Workspace? ................................

.................... with a 4096-bit certificate using Weblogic 8....1...... when I export groups using the Import/Export Utility................ 109 In the 9...... you can override this limit by including the <maxSize>desired number</maxSize> parameter within the Native Directory configuration..................... 108 In environments where multiple providers are configured for use with Shared Services.................
® To override this limit:
1 2
Log on to Shared Services Console........... similar to LDAP or MSAD providers................ 106 What configuration changes are recommended to improve performance of EPM system security? ............................ Is there a limitation on the number of groups that can be exported?
By default...................Server Audit Enable Status:....... but it fails to execute.........1 release..................................What are the different custom authentication options in EPM system and when should I use them? ..........x releases? .............false”..... Is there a limitation on the number of groups that can be exported?
77
.......000 groups are exported.................. 109 How do I export the provisioning data for a subset of the applications registered with Shared Services using the Import/Export Utility? .. 104 Where can I find the Shared Services Security API documentation? .................................................... 111
I have more than 5............1...................1 and 11.......... 109 Does EPM System support desktop Single Sign-on using Kerberos?......1? ......................... I want to connect to my LDAP server using LDAPS........ 109 In Shared Services Console................................... I execute backup. 110 To back up Shared Services........... However..... Can I leverage the Oracle Identity Management infrastructure from within EPM System? .....000 Native Directory groups in Shared Services. 106 I use Oracle Identity Management in my enterprise.......... is there a way to log in to a specific provider to improve login performance?.....sh as instructed in the EPM System Backup and Recovery Guide.................................000 groups are exported........................ only 5............................................ Why do I receive an error about “Unknown key spec: Invalid RSA modulus size” in the Shared Services log?..................000 Native Directory groups in Shared Services.. What does this message mean and can I ignore it? ....... However......... 107 Where can I find documentation on how to use the Shared Services Import/Export Utility for the 9............. you can export up to 5.......................... However.........000 users/groups from Native Directory........................3......... What modifications are needed for this script to execute? ....................3....
I have more than 5........ Select Administration > Configure User Directories............................ 105 The SharedServices_Audit........................... 110 Is OpenLDAP via SSL supported in EPM System 9....................... only 5.....................log sometimes includes this line: “AuditHandler .................................................................. when I export groups using the Import/Export Utility.. why aren't some applications roles listed among the Available Roles to provision?......3.................................

78
User and System Security
.3 4
Select Native Directory and click Edit.1/openLDAP (shown below)
6
Open the slapd.x: <Hyperion_Home>/products/Foundation/openLDAP 9.1.
5
Go to the following directory:.x: <Hyperion_Home>/SharedServices/9. Set the Maximum Size to the desired value (default value is 5000).conf file for editing.1.
q q
11.3.3.

I have more than 5.000 groups are exported. However.000 Native Directory groups in Shared Services.
8
Restart OpenLDAP and the Shared Services Web application.7
Edit the SIZELIMIT parameter to the same value as the one defined in Shared Services Console. only 5. when I export groups using the Import/Export Utility. Is there a limitation on the number of groups that can be exported?
79
.

3.1. this validation check is not performed.0 and earlier. In release 9. when you save the directory configuration in Shared Services Console. a search for groups does not return any records because the group object classes supported by MSAD are different from those for which Shared Services is searching. In such configurations.3.xml file.
80
User and System Security
. as illustrated below.9
Log on to Shared Services Console and check that more than 5000 groups (more than 200 pages) are displayed. In releases prior to 9. a validation is performed and a message is returned if there is a problem with the configuration. Verify that MSAD is specified as the directory type. even though groups exist under the group URL?
In releases 9. some customers mistakenly specify Lightweight Directory Access Protocol (LDAP) as the directory type instead of Microsoft Active Directory (MSAD) when configuring MSAD as an external user directory in Shared Services Console.3.1 and later. modify the MSAD configuration by updating the CSS. To solve this issue.
Why does a search for groups return no records from Microsoft Active Directory (MSAD).

1 (on the 9.3.2. see the security documentation for your release.3.x codeline). you cannot provision users with same CN in MSAD.1.1.2. run the Update Native Directory Utility to remove the deleted external users from Native Directory. You can also pass this property to the JVM by updating the JVM settings using the application server’s Administration console.1.1 codeline) and release 11.0. For all J2EE Web applications.log) to a location other than the temp folder?
To change the default location of the SharedServices_Security_client. this limitation is addressed by introducing support for ObjectGUID as the identity attribute. and later.4.3. in Shared Services Console.bat on Windows and . you must restart the application server.3.log.io. In Essbase release 9.1. For information about changing identityAttribute to ObjectGUID. In releases 9.
Note: After updating this property.
Can I provision users with identical Common Names (CN) but with different sAMAccountName & Distinguished Name (DN) in MSAD?
In releases prior to 9. add the Java system property Djava. the only possible solution to this issue is to ensure that CNs are unique under the configured base DN / user URL for the MSAD directory. the Essbase security refresh/sync is no longer required.2 (on the 11.0.
How do I change the default location of the Shared Services security log file (SharedServices_Security_client.1. update the System 9 product startup file or script (. and then refresh security information again from Essbase.tmpdir=<log path> to all JVMs. see the security documentation for your release.
Why does the Essbase security refresh (bulk sync) fail intermittently?
81
.tmpdir=<log path> to the JVM that is used by the application server instance.1.Why does the Essbase security refresh (bulk sync) fail intermittently?
The Essbase security refresh may fail when an external user (either MSAD or LDAP) is deleted from the external directory but remains a member of a Native Directory group that is provisioned. In these releases. This will change the temp file location for all applications running in that JVM. 9.3 and 9.io.sh on UNIX) to pass the Java system property -Djava.3. To solve this issue. For instructions.

For Financial Management:
1. Also.
82
User and System Security
. set this value for the next available ESS_CSS_JVM_OPTION. Update the hyperionenv.
ESS_CSS_JVM_OPTION3=-Djava. Stop Essbase Server. 2. ESS_CSS_JVM_OPTION4.tmpdir=<log path>
3. For example.doc file by adding the following property:
ESS_CSS_JVM_OPTION3=-Djava.tmpdir=<log path> to the JVM as an environment variable:
Windows
1. 2.io. ensure that the property value is in enclosed quotation marks. for example "Djava. Start Essbase Server. append:
-Djava. Stop Essbase Server. Set the Windows system environment variable:
ESS_CSS_JVM_OPTION3
to
-Djava.exe on the Financial Management server for the new setting to take effect.io.io. On the Financial Management application server.
UNIX
1. for example. Start Essbase Server.tmpdir=<log path>
If ESS_CSS_JVM_OPTION3 is already in use.io.tmpdir=<log path>”.io. Restart CASSecurity.tmpdir=<log path>
to the value of the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Hyperion Solutions\Hyperion Financial Management\Server \Authentication\LibPath
Use a space to separate this value from existing values of the registry key.For Essbase:
Pass the Java system property -Djava.io. 2.tmpdir=<log path>
3.

then set the “use groups” option to false according to your release:
q
In release 9.2.xml file is invalid. the user directory configuration is validated in Shared Services Console to alert you if a problem exists. In release 9. see the security documentation for your release. but Shared Services seems to access groups information from LDAP/MSAD. The circular dependencies within the groups need to be removed if you plan to use MSAD/LDAP groups. To solve this issue.
Why does Workspace hang when an MSAD/LDAP user logs in?
In releases prior to 9.2. this issue may happen when circular dependencies exist in MSAD/ LDAP groups. For more information about validating/testing the user directory configuration. see the security documentation for your release. In all releases. For information about supported characters in user names.1 and later. see the For more information about validating/testing the user directory configuration. This limitation is removed in release 9..1. carefully review the user directory configuration in Shared Services Console.
Why does a search for users/groups in Shared Services Console return the error message “Provider Not Reachable”?
In releases prior to 9.Does Shared Services support the asterisk character (*) in user names?
No.xml file to a node that does not contain any of these groups (i.CN=LostAndFound if you do not plan to use MSAD/LDAP groups). or the user and/or group URL specified in the css. Verify that the Support Groups check box on the Group Configuration tab
Does Shared Services support the asterisk character (*) in user names?
83
. for your release.3.3.e. because it is the wildcard character used for searches performed in the Shared Services Console. An alternative is to set the group URL in the css.3. the asterisk character (*) is not supported in user names or in Common Names (CNs).1 or later. How can I avoid this?
If you do not use LDAP/MSAD groups.0. you can create groups in Native Directory and assign users from LDAP/MSAD directories to them. this issue is most likely to happen when the user directory is not configured properly.0. .
I don’t use LDAP/MSAD groups.3 and later. use the Shared Services Console to modify the user directory configuration.3.

1.1.x). see the Security Administration Guide for your release (9.1.xml file: <useGroups>false</useGroups> In release 9.3 or 9. or by a combination of all.xml file to set the group URL to CN=LostAndFound (for MSAD) or to a dummy group URL (for LDAP) that is a valid group URL but does not have any groups (or has very few groups).2.3.1 or 11.
q
It is recommended to set the group URL and tune the group filter to decrease the number of groups that Shared Services has to parse through to build the cache.3. see the Security Administration Guide for your release (9.0. by setting a user filter.3.0. For instructions.2.1.2.x releases. by filtering by object class(es).1.x)
q
In release 9. Doing so will improve the runtime performance significantly. or prior versions. you can filter users by setting the user URL in Shared Services Console (user directory configuration UI.2.1 or 11. For more information about group filters.
How do I limit or filter the external users that are available in Shared Services?
In the 11. users tab) to limit searches to a particular region in the external user directory tree.is not selected.1.0. Examples of user filters:
q q
Use “CN=Hyp*” to filter users whose CN starts with Hyp Use (|(cn=Hyp*)(cn=Ora*)(cn=User One)) to filter users whose CN starts with Hyp or Ora or a particular user User One Use (& (cn=Hyp*) (sAMAccountName=Hyp*)) to filter users whose CN and sAMAccountName start with Hyp
q
84
User and System Security
.1. edit the css. manually add the following parameter within the group section of the appropriate directory in the css. 9.

place the directory that has either the most users or the most frequently searched users first in the search order.1. 9.1.2. see the Security Administration Guide for 11.1. For more information about search order. only static groups are supported in the current releases.x.For instructions to set user filters.x).
Does EPM System support LDAP/MSAD dynamic groups?
No. Therefore.3. To improve login performance. or 11.1.
How can I improve user login performance when several directories exist in the user directory search order?
In all releases. see the security documentation for your release (9.1.1. the order of directories in the search order has a direct impact on login performance.
How can I improve user login performance when several directories exist in the user directory search order?
85
. Shared Services follows the search order of directories to authenticate users at login.

Why does the OpenLDAP service fail to start with error code 19?
The most likely reason for this error message is that the OpenLDAP repository is corrupted.x: <Hyperion_Home>\products\Foundation\openLDAP\var\openldapdata
For 9. see the Security Administration Guide for 9. we recommend executing the Update Native Directory utility. Since OU is part of the DN.0. the report won’t show any roles for the user.
How do I create/modify/delete Native Directory users and groups in bulk or provision/deprovision users and groups en masse?
For System 9 releases. For instructions. see the Lifecycle Management Guide.x: <Hyperion_Home>\SharedServices\9. To address this issue. 9.1. If users are moved often between OUs and their security needs to be maintained.0). and the user or group is moved from one OU to another. If the identity is changed.1. then run the similar tools provided by Reporting & Analysis and Planning. For example. typically in:
86
User and System Security
.1.2.2. on Windows.3. the identity attribute is configured to be DN (the default until releases 9. which updates OpenLDAP/OID.1. or 11.1.
® Restore the database by running the db_recover command:
1 2
Navigate to the openldap-data folder.1. see the security documentation for your release (9. which update the identities in local repositories. the user’s identity is changed and therefore the user’s security is lost. use the Import/Export utility to perform this task.Why can’t LDAP/MSAD users log in to a product even though they are given proper security roles?
In some scenarios. this folder is typically in:
For 11. For EPM System releases (11.1. check the user directory configuration in Shared Services Console and run the provisioning report for the user.3.2 and 9.x).1. For more details. use Lifecycle Management.x).x\openLDAP\var\openldapdata
3
Run the db_recover command:
For example. we recommend using directory-specific unique attribute as the identity. For instructions.3.1. on Windows.3. To determine the current identity attribute.3.

Support for HRAM and NTLM is deprecated in release 11.
Why does the Shared Services OpenLDAP service sometimes get removed after an upgrade?
This is a known issue introduced in release 11.1.0.1. located in: Hyperion_Home/deployments/<AppServer>/ SharedServices9/config.0.1. Set the CSS. I restarted Shared Services but the identities in Native Directory didn’t migrate.3.00. installed with Shared Services.exe install OpenLDAP-slapd "Hyperion Foundation OpenLDAP"
After changing the identity attribute from DN to ObjectGUID (or nsuniqueid.MIGRATION.
For more information about the db_recover command.00. or ibmentryid).x: <Hyperion_Home>\SharedServices\9.0 that has been fixed in the 11. execute:
HYPERION_HOME/products/Foundation/openLDAP/slapd.1.1.
What is HRAM and what is it used for?
87
. HRAM can be used to access Windows NT domain users from UNIX platforms or Windows domain users from non-trusted Windows NT domains. as documented in the security documentation. Support for NTLM configurations will be removed from the EPM System installation in release 11.properties file.exe –v
4
Start OpenLDAP.x\openLDAP\bdb\bin\
db_recover.3.1. see the Security Administration Guide. GUID.
What is HRAM and what is it used for?
HRAM is Hyperion Remote Authentication Module.2. orclguid.2 release.exe –v
For 9.1. The workaround to this issue was to re-create the missing OpenLDAP service as follows: From a Windows console. How do I force Shared Services to change these identities?
Edit the CMS.1.For 11.STATE property to FORCE_MIGRATION and restart Shared Services.x: <Hyperion_Home>\products\Foundation\openLDAP\bdb\bin\
db_recover.1.

Native user IDs and passwords are stored in OpenLDAP.1.3.1.1. You can override the default authentication mechanism using the Shared Services Custom Authentication Module (CAM). security assignments in Development and Test environments are different. For more information. Native user passwords are encrypted using SSHA (Salted Secure Hash Algorithm). If Native Directory is configured for OID.
Are the Shared Services Native Directory user IDs and passwords stored in the OpenLDAP directory or in the Shared Services repository?
Which encryption mechanism is used and where is the key stored? By default. only migrate the native groups in Shared Services but not the native users.1.3. Best practice is to use groups in Native Directory unless the customer has a corporate directory in Development that is different from the one in Test.0.x (Implementing a Custom Authentication Module).05. The Shared Services repository stores all registration information from products. This procedure is documented in detail in “Using the Update Native Directory Utility” (Chapter 10) of the Security Administration Guide.x. When migrating.1. and 11. see the Readme file for these service fixes or refer to the whitepaper for 11. what is the best way to get EPM System’s user identities migrated to the new directory?
You can use the Update Native Directory Utility to migrate users and groups across user directories.05. Developers have access to artifacts and data in the Development environment but do not have access to Test or Production environments.
When moving from one user directory to another.
What are the best practices for migrating users and groups from one environment to another?
In general. supported in Shared Services release 9.Can I override the default authentication mechanism used in EPM System with a customer’s own authentication mechanism?
Yes. One method to avoid re-developing security in Test is to set all security at the group level. Then reassign new users to the groups in the Test environment.1. 9. and so doesn’t require any key.
88
User and System Security
.0. then they are stored in OID. SSHA is a one-way hash.

1.How do I configure Shared Services to use Oracle Internet Directory (OID) as an external directory?
Starting with 9.
How do I configure Shared Services to use Oracle Internet Directory (OID) as an external directory?
89
. Select Add LDAP Directory (see screenshot below):
There is a known limitation for this configuration for 11.1 release.1.3.1. For more information about configuring user directories. To configure Shared Services to use OID:
® To configure Shared Services to use OID:
1 2 3
Log in to Shared Services Console. OID can be configured for use with Shared Services as an external user directory. see “Configuring User Directories” in the Security Administration Guide.1 where it is not possible to use usernames or user URL for directory objects that include the dotless Turkish “I”.1. Select Administration > Configure User Directories.0 and 11.

password policies are not supported in releases 9. For Native Directory.1.x and 11. A list of supported external authentication providers is listed in the EPM System Certification Matrix. and production but the actual security assignments can stay the same to simplify migration of artifacts from one environment to another. such as LDAP or MSAD. Native groups should also be used when customer doesn’t have a different corporate directory in dev. For more information.1. Native groups should be used in the following cases:
q
Where the group provisioning is used but the external authentication provider group structure is not conducive for provisioning to EPM System products. if the user population within the corporate directory group can change and is not within the control of the EPM System administrator. This inadvertently allows access to EPM System products by users who should not be authorized to access them.x by default.3.000 groups) in the corporate directory and there is no possible way to filter down the list of groups to a smaller population that can be then provisioned to EPM System products.1.x. add the corporate directory users to native groups. Native groups can include different users in dev. and training purposes. In this case.3. the EPM System security administrator should create a proper set of native groups. and provision them to EPM System products. In these scenarios and other similar cases. see “Setting Up Password Policies” in the “Managing Native Directory” chapter of the Security Administration Guide. for example. you can configure Oracle Internet Directory (OID) as the Shared Services Native Directory and you can set the password policies in OID for native users.x. in 11.
What are the best practices for using Native Directory users and groups in Shared Services?
Native users can be used for development. Native users are not recommended for use in production systems.1. test and production. Shared Services does not provide a built-in locking mechanism. Locks are controlled by the password policies provided with the external user directories. Another scenario is where there are a significant number of groups (> 10.
q
q
90
User and System Security
. However.1. testing.1.How do I specify a setting to lock out a user after a number of unsuccessful login attempts to EPM Workspace?
In releases 9. test. An external authentication provider such as LDAP or Active Directory should be used in production environments.x and 11.

I have lost the Shared Services “Admin” user password. How do I reset it?
91
. How do I reset it?
® To reset the “Admin” password:
1
Using an LDAP browser. Select cn=911 user as shown below:
2
3
Select the userPassword attribute. and select Edit -> Edit Attribute. right-mouse click. To connect. connect to OpenLDAP as the root user. you must know the OpenLDAP root password that was likely changed after configuration. (See “Changing OpenLDAP root User Password” in Chapter 8 of the Security Administration Guide.I have lost the Shared Services “Admin” user password.

If several object classes are specified. which sets the password.4
Enter the new password and then click Set. this type of search may be slow due to the ACIs (Access Control Instructions).
Why is a search for all users in Shared Services within Oracle Internet Directory (OID) slow?
In some environments. reduce the number of object classes to the absolute minimum. then specify person object class. the Shared Services Security log file states the following:
92
User and System Security
.
Why can’t an Active Directory user login to EPM System products. even though the user is provisioned with proper roles and entered valid credentials?
Shared Services Console may return an error message about a user having invalid credentials. If no object classes are specified for users.

impl. comment: AcceptSecurityContext error. The following screen shot shows the user’s Properties screen in Active Directory’s Users and Computers Administrative Tool.css.spi. but the user is not allowed to log on to this workstation. vece ]
Shared Services is authenticating the user with the given credentials against Active Directory. Click the “Log On To…” button to get to the screen to add/ edit the workstations the user can log in to.authenticate(Unknown Source) -.
Why can’t an Active Directory user login to EPM System products.naming.MSADProvider. you specify workstations to which a user is allowed to log on. even though the user is provisioned with proper roles and entered valid credentials?
93
.msad.com. you also need to specify the Domain Controller (Host Name) that is provided while configuring the Active Directory provider in Shared Services Console or select the option of “This user can log on to All Computers”.Unable to authenticate user123 javax.hyperion. data 531.AuthenticationException: [LDAP: error code 49 80090308: LdapErr: DSID-0C090334. Once you specify one or more workstations. In Active Directory.

94
User and System Security
.

1.1.1. For complete instructions.x Security Administration Guide.1. From Shared Services Console.xml file is stored in the Shared Services Registry. You should use Shared Services Console UI to configure user directories.How do I add new user directories or change user directory configuration in the 11.x releases? Where is the CSS. see the “Configuring User Directories” chapter in the 11.1.1.x releases.xml file that I could update in previous releases?
95
.x releases? Where is the CSS. select Administration -> Configure User Directories.1.xml file that I could update in previous releases?
In the 11. the CSS.1.
How do I add new user directories or change user directory configuration in the 11.

see “Changing the OpenLDAP Port” in the “Ports” chapter.x releases. but I cannot update the port on the user directories management page in Shared Services Console. For complete instructions.1.3.
How do I change the location where data files are stored by OpenLDAP?
® For the 9.1/openLDAP/ var/openldap-data
4
Start OpenLDAP. Can I use this OID as the EPM System Native Directory in the 11.1.1.1 and 11.3.1. If using Performance Management Architect.
I want to run OpenLDAP on a non-default port.x releases?
Yes. Find the directory directive and point it to the desired location where you want the log files to be created.x and 9.1.1. see “Configuring OID as Native Directory” in the “Managing Native Directory” chapter of the 11. follow this procedure to change where files are stored by
OpenLDAP:
1 2 3
Shut down OpenLDAP.I already have an OID deployment. there is no limit on characters in usernames. For example:
directory <Hyperion_Home>/SharedServices/9.conf file in the OpenLDAP home location.3.1 releases.x and 9.
How many characters can an EPM System username contain?
For Essbase and Planning. For Financial Management.1 releases?
Instructions for changing the openLDAP port to a custom port are now documented in the Installation Start Here document for the 11.x Security Administration Guide. open the slapd.1.1. In a text editor. How can I run OpenLDAP on a non-default port for the 11.3. Check the system requirements for your release to see which versions of OID are supported. usernames can contain no more than 30 characters for any username (from Native Directory or from an external directory).
96
User and System Security
.1. the username can contain no more than 50 characters.1.

is configured in Shared Services with DN as the identity attribute. see “Configuring OID. For detailed instructions on running the Update Native Directory Utility. An archive of this utility is available in <Hyperion_Home>/common/utilities/ SyncOpenLdapUtility/UpdateNativeDir. How do I fix this?
97
.x).3 and 9. nsuniqueid for SunONE LDAP. Because. run the required product-specific utilities to update the identities in product repositories.3. How do I fix this?
If MSAD.1. Using providerspecific attributes makes the movement of users from one OU to another in these providers transparent to EPM System products.3. temporarily. there is a set of product service fixes that increase the length limit of the user name to 256:
q q q q q q
Performance Management Architect Planning Essbase Provider Services Essbase Administration Services (EAS Server) & (Administration Services Console) DRM
A Microsoft Active Directory (MSAD) user has moved from one OU to another in the MSAD directory. which causes the provisioning data to become invalid.2. or an LDAP-enabled user directory. it is recommended to use provider-specific attributes as the identity attribute (such as ObjectGUID for MSAD. Note: This issue can be fixed.1. starting from the 9.1.0. DN is location-specific.
Note: The same procedures can be applied to LDAP users as well. and Other LDAP-Based User Directories” in the Security Administration Guide for your release (9. any change in a user account’s location causes the identity of the account to change.
A Microsoft Active Directory (MSAD) user has moved from one OU to another in the MSAD directory. OrclGUID for OID.1. provisioning data of the user becomes invalid if the user account is moved from one OU to another.1. Provisioning information for this user has been lost and the use cannot log in to EPM System products.zip.1or 11. by running the Update Native Directory Utility.3. After running the Update Native Directory Utility for Shared Services. see “Using the Update Native Directory Utility” in the Security Administration Guide for your release (9.
To permanently fix this problem. Provisioning information for this user has been lost and the use cannot log in to EPM System products. For information on configuring LDAP-enabled user directories with an identity attribute that is not location specific.1. GUID for Novell eDir).x).1 releases.2.For release 11. MSAD.1 or 11.

98
User and System Security
. A cold backup of OpenLDAP is needed periodically for recovery (shut down OpenLDAP and back up the entire OpenLDAP directory).log files in OpenLDAP:
1 2 3
Shutdown OpenLDAP. You are not able to set up a different external directory in test and production. Type the following 2 entries in the file:
set_flags set_flags DB_TXN_NOSYNC DB_TXN_NOT_DURABLE
4
Start OpenLDAP. a different directory is needed to hold the group membership. It is recommended that all security assignments are done at the group level.000 groups in the corporate directory.
Note: The drawback with this setting is that you cannot do a catastrophic recovery. Create a file called DB_CONFIG (case-sensitive) in the openldap-data directory (located under OpenLDAP home). Corporate directory group membership is not under the control of the application security administrator. and it is not possible to create a filter in the directory configuration setting in Shared Services Console that will only return the needed groups
q
q
q
Note that in any type of configuration users cannot access the system when they are deactivated in the corporate directory.What is the best practice on setting up security in terms of using Native Directory groups versus corporate directory groups in MSAD or LDAP?
Using Native Directory groups in Shared Services is recommended over corporate directory groups when:
q
There are no corporate directory groups that contain all the users that need access to EPM System products. There are more than 50.
How do I limit the amount of logging done by OpenLDAP?
® To limit the number of . and since security in development and production is different.

then the query would be:
(&(sAMAccountName=<full user name or part of username followed by * that you would have entered in the search field>)(objectclass=user))
If you click on the Show All Users button. this cache refresh interval is set to 60 minutes.1. Therefore.x release.
Why are users or groups that have been deleted from MSAD or LDAP still visible in Shared Services Console?
99
.x releases. MSAD.x and 11. Assuming that the Login Attribute is sAMAccountName and the user object class is user. see “Configuring OID. the number that is set as maxSize for this directory in the configuration. You can reduce this time by either setting the cache refresh interval to a lower value or by restarting Shared Services and/or EPM System products to see the changes made to external groups reflected immediately.
What is the query that Shared Services sends to Microsoft Active Directory (MSAD) when I click on "Search Users" in Shared Services Console?
The query depends on the Login Attribute and the user object classes that are configured for the MSAD directory in the Shared Services directory configuration interface. it may take up to 60 minutes for changes made to external groups to be reflected in the Shared Services Console.3. see “Overriding Cache Refresh Interval for MSAD and other LDAP-Enabled User Directories” in the “Configuring User Directories” chapter of the Security Administration Guide.x release. and Other LDAP-Based User Directories” in the “Configuring User Directories” chapter of the Security Administration Guide. any attempt to authenticate the users will fail and they will not be able to login to the system the moment they are removed from the directory. at the most.Why are users or groups that have been deleted from MSAD or LDAP still visible in Shared Services Console?
In the 9. For instructions to change the cache refresh interval in the 9. Note that even though the users are visible.1. By default. For instructions to change the cache refresh interval in the 11. the query would be:
(&(sAMAccountName= *)(objectclass=user))
The search would be limited to return. certain information of the external groups (MSAD or LDAP) is cached by Shared Services to improve performance and reduce the number of calls to the external user directory.1.1.

login to Shared Services as an Administrator user and select the Change Native Directory Password option from the Administration menu to change the password.
5
If the root password is not known.dc=com" -a -c -h localhost -p 28089 -v -x -w XXXXXX -f ”<OPENLDAP_INSTALL_DIR>/openLDAP/usr/local/etc/openldap/css. empty openLDAP directory.
100 User and System Security
. The only thing you won't have is user provisioning and native users/groups. Is there a way to bring OpenLDAP to its initial state but not lose all the application registration information in the database?
Yes.dc=css.sh.
® On UNIX:
1 2 3 4
Clear the openldap-data directory under:
<HYPERION_HOME>/products/Foundation/openLDAP/usr/local/var/
Navigate up to the <HYPERION_HOME>/products/Foundation/openLDAP directory and run postLDAPInstall.bat./usr/local/bin/ldapmodify -D "cn=root.ldif"
Where XXXXX is the root user password. You can then run the syncOpenLDAP utility from Shared Services Console to get projects and applications to it.
There is now a new. empty openLDAP directory.I have imported some provisioning data into OpenLDAP incorrectly. You can then run the syncOpenLDAP utility from Shared Services Console to get projects and applications to it. you can restore OpenLDAP to its initial state without losing application registration information:
® On Windows:
1 2
Clear the openldap-data directory under:
<HYPERION_HOME>/products/Foundation/openLDAP/var
Navigate up two levels to the openLDAP directory and run ConfigureHUBLdap.sh Execute runLDAPCmd.
There is now a new. Execute the following command:
.dc=hyperion. The only thing you won't have is user provisioning and native users/groups.

Product security information (such as authentication and failed logins) is logged.x release. a change to an Essbase security filter is not logged.
® To audit security activities:
1
In Shared Services Console.
2
Then generate an audit report by selecting Administration and then Audit Report. logout. or. such as “applications a user has accessed” or “date of last login attempt”?
Starting with the 11. right-click. and select Configure Auditing. because the audit data is in the Shared Services relational database. More information is available in the “Managing Provisioning” chapter of the Security Administration Guide.
Reports can be exported to a CSV file.1. The activities that can be audited include login (including failed login).How can I audit security activities. provisioning changes. select an application group or an application.
How can I audit security activities. For example. and Native Directory management.1. such as “applications a user has accessed” or “date of last login attempt”? 101
. Changes to product-specific access control lists are not logged. Shared Services supports auditing of security activities for the EPM System products. custom reports can be generated from the database directly.

0.3.1.
Can I change or regenerate the security SSO token encryption key?
If you wish to periodically change the single sign-on (SSO) token encryption key in different environments (for example.
What is the connection protocol between Essbase Server and EPM System products?
Also.x Security Administration Guide.
Which connection protocols and security mechanisms can be used for the EPM System connection with corporate directories?
EPM System products access MSAD and LDAP servers using LDAP or LDAPS (LDAP over SSL) protocol. Credentials are protected in the current product using the Blowfish symmetric algorithm. Shared Services uses the Blowfish encryption algorithm to encrypt/decrypt passwords in the css.1.0. and SSO token.xml file.1.x. This step is necessary for enhanced security of the platform.How is the communication between Essbase Client and Server encrypted?
Essbase client-to-server communication does not support SSL but is being considered for a future release. The steps are the same for 9.3.1. Development and Production).1.3.12.xml file. After the encryption is done. The passwords are encrypted using 128-bit Blowfish algorithm.12 and 11. see the SSL Configuration Guide.x releases. the passwords and SSO tokens are base 64 encoded. Run the SharedServices Handler Utility available in release 9.1. This SSO token is used when a user navigates across EPM System products without prompting the user to login again.x and 11. is the Essbase/EPM System product connection encrypted? Are the passwords encrypted? The connection protocol for all connections to Essbase Server is a proprietary protocol over TCP/IP. The steps for running the utility are documented in “Regenerating the SSO Encryption Key” in Chapter 11 of the 11.
Which encryption mechanism does EPM System use?
For both 9.1. Domain.1.
102 User and System Security
. For instructions on how to configure directory access via SSL. you can regenerate the single signon token encryption key.

One usage of the custom authentication module is with environments with one-time passwords like RSA pin code.oracle.oracle. the interface to implement is: http://download. for CSS Custom Authentication module. This enables a user to login to his/her desktop and would not need to re-login to applications.1.0 should contact Support for information about obtaining this module.1.pdf In the 9. In this scenario. Financial Management) is available only through EPM Workspace.html
What is the scope of Kerberos support for EPM System?
Kerberos is a network protocol used mostly for desktop single sign-on (SSO).
What is the CSS Custom Authentication Module? 103
.1. For more information see this whitepaper: http://www. Interactive Reporting pass-through supports database proxy authentication when using an Oracle database 10. Adding this custom authentication is transparent to thin and thick clients.com/technology/products/bi/pdf/epm_kerberos_wp. Kerberos SSO support for IIS-embedded EPM System products (for example. Kerberos (also called “transparent login” for Reporting and Analysis) is supported for EPM Workspace browser access.x.1.) This allows customers to write their own Java class for authentication.3. Kerberos is supported across EPM System products with the following exceptions:
q
Kerberos SSO is not supported for EPM System products deployed on the Embedded Java Container (Tomcat).111/epm_security_api_11111/client/ com/hyperion/css/CSSCustomAuthenticationIF. (It works only if the user provides username and password).1 Service Pack 1 and in the 11. In release 11.3.1 configuration. Kerberos SSO is not supported for thick clients (including Smart View and Smart Space). In release 9. SSO access to Financial Data Quality Management is provided through Financial Management.3.1.3. on Windows and UNIX platforms.1. (Customers on release 9.x provides some information about this topic (see “Kerberos Single Sign-On” in the chapter on “Enabling SSO with Security Agents”): In 11. A whitepaper describing the configuration for WebLogic/IIS is available in the whitepaper library on OTN.com/docs/cd/E12825_01/epm. LDAP).x. The values entered in the username and password fields are sent to the custom module for authentication.pdf As a reference. as a replacement of the default provider authentication (for example.
q q
The Security Administration Guide for release 11. the Interactive Reporting pass-through mechanism does not allow for SSO. the end user would enter the RSA pin code in the password field.1.2 or higher.x releases to add authentication flexibility to the EPM System platform.1.1. specifically: http://www.oracle.com/technology/products/bi/pdf/epm_custom_authentication_wp.What is the CSS Custom Authentication Module?
CSS Custom Authentication is a module added in Shared Services 9.

thin client.pdf). etc.
How do I enable the CSS Custom authentication module with Reporting and Analysis. i.3.x?
In EPM Workspace.oracle.1.x Security Administration Guide).) and validates the credentials using a custom Java class.1.
What are the different custom authentication options in EPM system and when should I use them?
There are three types of custom authentication with different names and usages:
q
CSS Custom Authentication module takes username and password as parameters from any clients (thick client. css-9_3_x.x. if Reporting and Analysis Core Services does not find your custom authentication class.The whitepaper provided for 9.e. the following whitepaper documents how to do this for EPM Workspace (page 17 of http://www. This procedure may be used if you are packaging your custom authentication class outside of the css jars. add the containing jar to the Reporting and Analysis CLASSPATH by modifying CSS_CLASSPATH in the file set_common_env. select Administration -> Configure User Directories and select the Security Options tab. For EPM 11.com/technology/products/bi/pdf/ epm_custom_authentication_wp.1. You can edit the field on the right to specify another HTTP header name.
How do I change the security agent header used for SSO with Workspace 11.bat or set_common_env. For 9.sh in the <HYPERION_HOME>/BIPlus/bin directory. the header name is taken from CSS configuration (see “Configuring EPM Workspace for SSO” in the chapter “Enabling SSO with Security Agents” in the 11.
® To change from the default HYPLOGIN header:
1 2 3
From Shared Services Console.x.jar.1..1 will also prove useful when configuring.1.1. each Web application and servers must locate the custom class containing your authentication code. if it is not picked up in the CLASSPATH?
When using the CSS custom authentication module. Select Show Advanced Options and Enable SSO. Ensure that Select SSO Provider or Agent is set at “Siteminder” or “Other” and that SSO Mechanism is set at “Custom HTTP header”.
104 User and System Security
. if you use $SECURITY_AGENT$ Username Policy in EPM Workspace.3.

is the main interface to validate users and interpret user access to EPM System products.1. or a Web application identity assertor. Therefore.com/technology/products/bi/pdf/epm_custom_authentication_wp. both will be merged.1. and includes the Java doc with detailed information on all classes. For more information on this custom module. MSAD.1.1. It enables EPM System products to authenticate users. and from this request has to return a valid username. Also.x Security Administration Guide. refer to the Javadoc for this class.css. or SSO. This custom login is available in 11.1. see this whitepaper: http://www.3.1. The Security API Reference documentation provides sample programs to implement Security API Java classes.
q
Where can I find the Shared Services Security API documentation?
The Security Application Programming Interface (Security API). and only CSS Custom Login class will be used.x and 9.x.oracle. You would use this module to validate the authentication information sent by a security portal. and database providers) do not meet your requirements and you need to authenticate the user with the entries supplied in the username and password fields (such as RSA pin code). This is used for Web application authentication. a Java API.1. but not in 9. This custom login is available in 11.1.CSSSecurityAgentIF) is defined in “Supported SSO Methods” in the “Enabling SSO with Security Agents” chapter of the 11.1. and has the same purpose as the CSS Custom Login class.3. integrate with a security agent and retrieve users and groups based on names and identities.x.
Where can I find the Shared Services Security API documentation? 105
. . The interface to implement the CSS Custom Login class (com.1 Service Pack 1 or higher.pdf
q
CSS Custom Login class takes an HTTP request.x and 9. This option is available in 11. in a future release. Each EPM System product implements the Security API to support security.hyperion. BI+ Custom login class takes an HTTP request as well as parameters.You would use this custom module when the authentication with user directories (such as LDAP.

Interactive User. If enabled. For example. You would configure EPM System to use Oracle Internet Directory (OID). Then assign (provision) each of the Planning roles to the enterprise groups that you have created in your identity store. This message is for information only and can be safely ignored. as the external identity store. You will create one group per Planning role. Manage Models.3. or any other supported identity store supported by both EPM System and OIM. otherwise.1. you then use OIM for adding and managing EPM System users and groups. What does this message mean and can I ignore it?
This message indicates whether the auditing feature is enabled on Shared Services Server. Planner.The SharedServices_Audit. This message is included whenever an audit client pings the server for status. see “Configuring User Directories” in the Security Administration Guide for your release (11.1).1. You can use OIM to move users in and out of groups. For example. you can use Shared Services to provision them. you could do the following: 1. the client ignores auditing events.Server Audit Enable Status:false”.false” indicates that auditing is not enabled on the Shared Services Server. 3. Use OIM to create an enterprise group in your identity store (such as OID or MSAD) for each of the Planning roles like Administrator. the client proceeds with auditing events. 2.
106 User and System Security
. Once groups are created. The message “Audit Enable Status :.
I use Oracle Identity Management in my enterprise. Can I leverage the Oracle Identity Management infrastructure from within EPM System?
Yes.log sometimes includes this line: “AuditHandler . The Oracle Identity Management (OIM) infrastructure that you already use in your enterprise can be leveraged by EPM System. if you are using OIM and wish to leverage that for provisioning with Hyperion Planning. For instructions to set up this configuration.x or 9. Once this configuration is complete. You can now use OIM to assign users to the enterprise groups based on the authorization you wish them to have. and so forth. Perform a one-time activity of logging into Shared Services and configuring your identity store as a provider in Shared Services. assign all users who need to have the Planning role to the corresponding Planning group that you created. The users would automatically have the corresponding Planning role assigned to them.

q
• Turn off Support Groups
What configuration changes are recommended to improve performance of EPM system security? 107
.
q
Reduce Object Class user attributes
Having multiple object class attributes slows down searches for user information. If your LDAP has a custom object class that identifies a user (such as myuser). add the custom object class and remove all other object classes. Remove the extra object classes such as organizationalPerson and user from the object class listing in Shared Services Console.What configuration changes are recommended to improve performance of EPM system security?
Here are some methods to increase the performance of your security access in EPM System. Only the Person object class is needed.

108 User and System Security
.1. This increases the memory footprint for all EPM System products because the group hierarchy is cached. This means that users in the external provider will be provisioned to EPM System product roles via groups and.1 and 11. If you are not using group provisioning.x releases?
Documentation on the Import/Export Utility is installed (via Shared Services) with the Import/ Export Utility zip file in this directory:
<Hyperion_Home>/common/utilities/CSSImportExportUtility
This documentation is also posted in the EPM/BI Whitepaper Library.3.
Where can I find documentation on how to use the Shared Services Import/Export Utility for the 9. optionally. it is suggested that you uncheck the Support Groups checkbox. at the user level as well.Select Support Groups only when application role provisioning is done to external groups.1.

1).4 does not support RSA certificates greater than 2048 bits.
In environments where multiple providers are configured for use with Shared Services. and in the chapter “Enabling SSO with Security Agents” chapter in the Security Administration Guide (for 11. to solve this issue.
Does EPM System support desktop Single Sign-on using Kerberos?
Support for Kerberos authentication is documented in the whitepaper Configuring Oracle Hyperion Workspace for Kerberos Authentication (for 9. he can log in to EPM Workspace using joe@MASD1 to bypass the configured search order and log in directly to the specific provider.1.3. For example. This can be helpful to speed up the login in situations where there are many providers to check. Why do I receive an error about “Unknown key spec: Invalid RSA modulus size” in the Shared Services log?
This error occurs because WebLogic JDK 1. with a 4096-bit certificate using Weblogic 8.xml file and the user joe is in this directory. You must upgrade to Weblogic 9. I want to connect to my LDAP server using LDAPS.x).In environments where multiple providers are configured for use with Shared Services. using JDK 1.2. see “Configuring User Directories” in the Security Administration Guide. For provider configuration instructions. if you have a provider called MASD1in your css.1 release.5.1. you can log in to a specific provider with the syntax of “UserName@Provider_Name” rather than just user name.
How do I export the provisioning data for a subset of the applications registered with Shared Services using the Import/Export Utility?
The Import/Export Utility provides the capability to export provisioning data for all registered applications or a subset of the applications.3. Provider_Name is the name you have given to the provider when configuring the security. The utility gets installed to <HYPERION_HOME>/ common/utilities/CSSImportExportUtility.
In the 9. is there a way to log in to a specific provider to improve login performance?
Yes. is there a way to log in to a specific provider to improve login performance? 109
.

the documentation is in this structure <HYPERION_HOME>/common/utilities/CSSImportExportUtility/ importexport/doc. The example shown below will export all provisioned information for the Shared Services application and the Planning application called PlanApp1 in the Planning project . For detailed instructions. Running Recover Native Directory will ensure that all applications/admin projects registered are in sync in both the relational database and Native Directory. then the error ERROR: ${HYPERION_HOME}/deployments does not exist is returned. see the “Using the Update Native Directory Utility” chapter in the Security Administration Guide. You must also set the export. You can add any number of project and application combinations in this property.all=false
More information about these properties is available in the Import/Export Utility documentation.
In Shared Services Console.sh as instructed in the EPM System Backup and Recovery Guide.provisioning.all property to false so that only the specific application provisioning data is exported. where the location of the Shared Services deployment files is not $HYPERION_HOME/deployments/<AppServer>.To export the data for a subset of the applications. edit the backup.apps=(HUB=Global Roles)(Planning=PlanApp1) export. you need to set the export.
To back up Shared Services. What modifications are needed for this script to execute?
If a manual deployment to the application server was performed.provisioning.apps property in the importexport.
110 User and System Security
. After you expand the utility zip or tar file. why aren't some applications roles listed among the Available Roles to provision?
The most likely reason for this issue is that the Shared Services relational database and Native Directory (OpenLDAP or OID) are not in sync. To fix this issue. To solve this issue.provisioning.
export. I execute backup. in Shared Services Console. run Recover Native Directory under the Administration menu.properties file to include only the applications from which you want to export data.sh file and provide the correct deployment location for the appropriate application server.provisioning. but it fails to execute.

1.3.1? 111
.3.1: Configuring OpenLDAP for SSL/TLS Communication
Is OpenLDAP via SSL supported in EPM System 9.1?
Yes.3.Is OpenLDAP via SSL supported in EPM System 9. There is a whitepaper that details the process to communicate with OpenLDAP via SSL in 9.

112 User and System Security
.

................................. .............................. 123 When using the Lifecycle Management (LCM) command-line utility to export artifacts to the file system..................................................................................................g..................................1....... 118 When trying to browse Financial Management artifacts in Shared Services............. but how do I move data from one environment to another?............................................................................................................................................................ 120 Why do I receive an “OutOfMemory” exception in the IIS process when using Lifecycle Management (LCM) to run multiple Financial Management migrations on large applications? .............................................. 121 Can Lifecycle Management (LCM) migrations be scheduled?........................................................................................... 124 Should I migrate Deployment Metadata via Lifecycle Management (LCM)? .................. 115 Is there a way to do version management for EPM System artifacts using Lifecycle Management (LCM)? ............................................................................ 114 Can Lifecycle Management (LCM) artifacts exported from one release of a product be imported into another release of the product? ..................x release? .. ensure that the application is up and running and the user has appropriate rights to access the feature”................................................................. from HP-UX to Linux)? .......................... why do I receive the error message "Cannot copy file"? ...................................... 114 I can use Lifecycle Management (LCM) to migrate artifacts between environments.................. What causes this? ........... is there a specific order I should follow to make the export/import successful? ......................................................................................................................................... 119 How can I secure exported Lifecycle Management (LCM) artifacts on the file system?............. 117 I am not able to use Lifecycle Management (LCM) to export Shared Services deployment metadata.......... 123 Can I integrate Lifecycle Management (LCM) with an existing production control or approval management system? . 119 What are the important limitations and issues to be aware of before using Lifecycle Management (LCM)? .................. 115 Can I use Lifecycle Management (LCM) to migrate artifacts between operating systems (e........................5
In This Chapter
Lifecycle Management
What is the best way to become familiar with the Lifecycle Management (LCM) functionality in the 11........................................................... 114 When using Lifecycle Management (LCM) to export and import artifacts from multiple products................. 120 What are the hardware or software requirements for the Lifecycle Management (LCM) component? .. 122 Can Lifecycle Management (LCM) be used for backup and recovery? ............. 115 Is there a comparison report for Lifecycle Management (LCM)? ................................ 116 Does Lifecycle Management (LCM) have audit capabilities? ..........................................................................................................1...................................... I get the error “Unable to connect to HFM app.......... 124
113
.................... 115 What is the best practice for managing application names for Lifecycle Management (LCM) in different environments? ... 124 What is the communication flow between services when using Lifecycle Management (LCM) command line utility? ...

... or move production data back to development to reproduce issues.......... is there a specific order I should follow to make the export/ import successful?
There is no specific order to follow when exporting artifacts from multiple products................... however.. 126 Can I use Lifecycle Management (LCM) to migrate provisioning information for only one application? ..........x release?
For product-specific tutorials on performing first-time LCM migrations.1..When using Lifecycle Management (LCM) to migrate security from one server to another........oracle..... if the user already exists on the target system and has changed the password...... 126
What is the best way to become familiar with the Lifecycle Management (LCM) functionality in the 11.................. follow this order:
q q q q q q q q
Performance Management Architect (EPMA) Shared Services Reporting and Analysis Essbase Planning Financial Management Performance Scorecard Profitability and Cost Management
I can use Lifecycle Management (LCM) to migrate artifacts between environments...........1......... but how do I move data from one environment to another?
Migration of data is sometimes needed to duplicate a production environment...............
When using Lifecycle Management (LCM) to export and import artifacts from multiple products.................... start a new development cycle.... see the Lifecycle Management Guide..... see the “Oracle by Example”s (OBEs) posted here: http://www.......... why isn't the password updated after migration? ............ when importing artifacts..com/technology/obe/hyp_ss/ssindex......... There
114 Lifecycle Management
........htm To get a deeper understanding of LCM functionality.............................

Can I use Lifecycle Management (LCM) to migrate artifacts between operating systems (e. For an example using Essbase. from HP-UX to Linux)?
Yes. In cases where the application names are different.. provisioned Native Directory group names. and then import to the version control system before importing to production. such as Oracle Universal Content Management. applications.
What is the best practice for managing application names for Lifecycle Management (LCM) in different environments?
In order to fully automate the migration process. including names of data sources.
Can Lifecycle Management (LCM) artifacts exported from one release of a product be imported into another release of the product?
No. to version EPM system artifacts. The artifacts are not dependent on the operating system so they can be migrated between operating systems. but the steps required to do this are documented for Essbase. Planning. The source and destination environments must use the same release. The most effective approach is to always export to the file system before importing to production.g. the best practice is to keep the Development. provisioning information needs to be edited manually before importing in the target environment. This issue will be addressed in a future release. This is more important between Test and Production environments where manual steps are often unacceptable. We recognize this is not always possible because some products’ application names include the server name. LCM allows customers to use their existing document or source-code-control systems. and application groups. see the First Time Lifecycle Management Migrations. and Financial Management in the First Time Lifecycle Management Migrations whitepaper.
Is there a way to do version management for EPM System artifacts using Lifecycle Management (LCM)?
Yes. and Production environments identical in terms of names.
Can Lifecycle Management (LCM) artifacts exported from one release of a product be imported into another release of the product? 115
. and this requires manual editing of provisioning information.is no automated tool for data migration. Test.

116 Lifecycle Management
. depending on the production control tool used. it can be achieved by writing a script that first imports the exported artifacts to the version control system and then imports to the production system. it can provide actual differences for EPM System artifacts that are text or XML based. By inserting this change in the process. it is not working now. how do I compare two environments? LCM does not provide built-in compare functionality. the following screen shows the differences on one of the Business Rules’ Global Variables artifacts using the Beyond Compare utility. what changes to the artifacts have been migrated to production during the last week? If the version control system supports a compare feature. we ensure that the artifacts in the production system are always in the corporate version control system with proper date metadata.This approach can be automated in a number of ways. such as: the system was working properly last week. users can export the artifacts to the file system and use a compare utility to see differences for text and XML artifacts. For example.
Is there a comparison report for Lifecycle Management (LCM)?
If not. For example. However. Then the customer is able to answer date questions.

® To enable the auditing feature from Shared Services Console:
1
Select Administration -> Configure Auditing and then select the Enable Auditing checkbox as shown below:
Does Lifecycle Management (LCM) have audit capabilities? 117
. Another example is to run a report on the importing of specific artifact. For example. using Shared Services Console. you can run a report on the user who performed an LCM extract and include the date it was extracted. you can enable auditing for LCM and run reports on the activities performed on product artifacts.Does Lifecycle Management (LCM) have audit capabilities?
Yes.

Or. see the “Working With Lifecycle Management and Shared Services Console” chapter in the Lifecycle Management Guide. What is the cause of this error: “Registry error occurred while accessing artifact”? When exporting the deployment metadata artifacts. Deployment metadata should not be migrated from Development to Test to Production because it includes environment-specific information.
For more information about LCM auditing. The workaround for the backup use case is to use database back up. you might encounter errors like *Registry error occurred while accessing artifact* (a detailed sample error is shown below). Audit information is stored in the database.2
Once auditing is configured. Two LCM use cases for deployment metadata are backup and change of values of artifacts.
118 Lifecycle Management
. This error occurs because the Windows file system has a limit of 256 characters for folder and file structures.
I am not able to use Lifecycle Management (LCM) to export Shared Services deployment metadata. so you can also generate custom reports using a Reporting and Analysis tool. select Administration -> Audit Reports -> Artifact Reports and enter your report parameters. The workaround for the edit use case is to use the LCM UI and change artifacts one at a time.

1.0 release and the manual steps mentioned above are not needed for such configurations.1.This issue does not occur on UNIX platforms and has been fixed in the 11. ensure that the application is up and running and the user has appropriate rights to access the feature”.0/ EPMA . and Profitability.*Registry error occured while accessing artifact-* App Server Properties for the given path/Shared Services Registry/Foundation Services Product . Financial Management.0/EPMA . Restart Shared Services
This issue is resolved in the 11.1. you must change the Financial Management registration file manually in Shared Services.9.0. In this configuration. I get the error “Unable to connect to HFM app.9.1.0/ Logical Web App@dhcp-manchester-lab-10-167-94-159_19091/EPMA Web App@dhcp-manchesterlab-10-167-94-159_19091/ App Server@dhcp-manchester-lab-10-167-94-159/App Server Properties .3.3. ensure that the application is up and running and the user has appropriate rights to access the feature”. Shared Services.5.
® To fix this problem.0/Logical Web App@dhcp-manchester-lab-10-167-94-159_19091/EPMA Web App@dhcpmanchester-lab-10-167-94-159_19091/App Server@dhcp-manchester-lab-10-167-94-159
When trying to browse Financial Management artifacts in Shared Services.0. I get the error “Unable to connect to HFM app. follow these steps:
1
Open Microsoft Word and edit the URL:
http://<hss_server>:28080/interop/content/products/HFM-9.0.instance
2 3
Search for lcmCallBack URL and add “<port_number>” to the end of the HFM URL. you must perform the import operation in the following order: Performance Management Architect. Following is a sample error message from Shared Services that is related to this issue:
error /Shared Services Registry/Foundation Services Product .5. Reporting and Analysis.5.0/Published/ <application_name>. What causes this?
This error occurs because the Shared Services server is not able to connect to the Financial Management server.0.
What are the important limitations and issues to be aware of before using Lifecycle Management (LCM)?
There are a few items to highlight:
q
When performing a composite application migration like Planning.5. Essbase.0 release for Windows. One reason this may happen is that because Financial Management is configured to use a port different from the default port 80 (for non-SSL) and 443 (for SSL).9.
When trying to browse Financial Management artifacts in Shared Services.9. What causes this? 119
.5. Planning.

no one else has these permissions.
q q
q
q
How can I secure exported Lifecycle Management (LCM) artifacts on the file system?
When artifacts are exported from the LCM user interface within Shared Services to the file system. These artifacts are environment-specific and should not be migrated.
120 Lifecycle Management
. FDM. If a customer decides to maintain and store various application artifacts. they are stored in a folder under <Hyperion Home>/common/import_export where <Hyperion_Home> is the location where Shared Services and other EPM System products are installed. Essbase Integration Services. The following EPM System products are not integrated with LCM: Strategic Finance. If an additional level of security is needed. Do not use LCM as your only means of backup and recovery. Test. The folder name is the name you provide during the export. To limit access to these artifacts. see “Disk Space and RAM” in Chapter 2 of the Installation Start Here. Before the artifacts are imported. you can modify the permissions on the import_export folder to ensure that the only person who starts Shared Services has full permissions on this folder. ERP Integrator.q q q
The source and destination environments must be on the same release number. Do not use quick edit features (export for edit and import after edit) if you want to export an artifact from one environment and import it into another environment. Essbase Studio. The first level of security is file system security. they need to be unencrypted by the authorized user. Direct application-to-application migration can happen only within the same environment such as Development. and Production. Do not migrate artifacts under Shared Services deployment metadata. For the approximate recommended disk space. The quick edit feature is only for editing and replacing the artifact in the same environment. the content of this folder can be moved to a passwordprotected container like Winzip or can be encrypted on the file system using PGP or other data encryption methods. Plan for an export to the file system and import from the file system when migrating artifacts across environments. Data migration is not supported. appropriate disk space is required to store those artifacts on the file system.
What are the hardware or software requirements for the Lifecycle Management (LCM) component?
The Lifecycle Management component is installed with Shared Services and does not require any additional hardware or services.

Why do I receive an “OutOfMemory” exception in the IIS process when using Lifecycle Management (LCM) to run multiple Financial Management migrations on large applications? 121
. change the Shutdown time limit to 10800 (3 hours). these recommended values should be safe for most environments).Why do I receive an “OutOfMemory” exception in the IIS process when using Lifecycle Management (LCM) to run multiple Financial Management migrations on large applications?
When running multiple Financial Management LCM migrations on large applications. making it possible to hit this exception. with large migrations. change the IIS configuration for the Financial Management LCM application pool on the Financial Management Web server: Enable Memory recycling with virtual memory set to 1000MB and physical memory set to 800MB.exe). however. This is under the application pool’s Properties page:
On the Health tab of the Properties page. However. This high value is set to prevent failure on long migrations where an IIS safe reset is required (due to memory limit reached) while the migration is running by providing sufficient time for the migration to complete (3 hours). This occurs because IIS does not release memory immediately after a migration completes. (Depending on the hardware resource. To avoid this. but rather waits until a memory threshold is reached before performing garbage collection for performance reasons. you may receive an OutOfMemory exception in the IIS process (w3wp. you need to allocate a large block of memory. these values can be increase.

For example. using the Lifecycle Management command line utility.
30 18 * * * ArchiveArtifacts
Where ArchiveArtifacts is a script with the following algorithm:
#!/bin/csh –f setenv HyperionHome /usr/Hyperion # Export all artifacts defined in allmdf to local file system. you will use the Migration Definition File called allmdf to export all the artifacts you wish to archive.5.0/bin/Utility allmdf –l # Use SCCS to import the artifacts into version control system. $HyperionHome/common/utilities/LCM/9. you can schedule LCM migrations. the following crontab entry will archive artifacts of the system to sccs each day at 6:30 PM.Can Lifecycle Management (LCM) migrations be scheduled?
Yes.
122 Lifecycle Management
.0. sccs delta SCCS
In the above example. The “-l” option specifies that you want to export the artifacts to a local file system so that they can be archived.

components separated by backslashes. A local path is structured in the following order: drive letter.1. why do I receive the error message "Cannot copy file"?
For the 9. This error indicates that a file copy error has occurred. Windows Maximum Path Length In the Windows API.
q
Can Lifecycle Management (LCM) be used for backup and recovery? 123
. the maximum path on drive D is D:\<some 256 character path string><NUL>. you can perform an LCM export of the dimension prior to making any edit.
q
When using the Lifecycle Management (LCM) command-line utility to export artifacts to the file system. Renaming the folder in the EPM Workspace/Explore module to reduce the length of the name. Then you can edit the dimension in the product.
Can Lifecycle Management (LCM) be used for backup and recovery?
LCM does not replace the need for a physical backup of servers and content. Since LCM can export most of the application artifacts (excluding data). This will serve as a temporary backup.x and 11. which is defined as 260 characters.1.) Workaround for Reporting and Analysis For Reporting and Analysis artifacts only. LCM is well-suited for the following use cases:
q
Making a temporary backup of one or more artifacts when a business user wants to edit the application content. this is well-suited for archiving application content.3. Archiving artifacts before performing an import: If you are migrating content from a test system to production. due to the path limitation in Windows. in order to ensure that the changes can be reverted back if something goes wrong. (The characters < > are used here for visual clarity and cannot be part of a valid path string. where <NUL> represents the invisible terminating null character for the current system codepage. For example: If a change needs to be made to a dimension in Essbase or Planning. and a terminating null character. For example. you may wish to archive the existing production artifacts by exporting them and checking the same into any version control system. the maximum length for a path is MAX_PATH. see the “Using Lifecycle Management Utility” chapter in the Lifecycle Management Guide. colon. the LCM command-line utility sometimes returns the Cannot copy file error message. use these workarounds to this problem:
q
Restructuring the folders in the EPM Workspace/Explore module to reduce the depth of the folder. backslash.1.For more information.x releases.

via Java APIs or command-line utility. The migration definition file (which is an XML file) can be created using the LCM functionality in Shared Services Console or can be created programmatically by the workflow system.properties
Can I integrate Lifecycle Management (LCM) with an existing production control or approval management system?
Yes. the Deployment Metadata node includes physical server names and configuration information for the deployment.0\lcm\conf\migration. from Dev to Test). Once the migration definition file is created.0. the command-line utility is sufficient because the logic of the migration is captured in the migration definition file.
Should I migrate Deployment Metadata via Lifecycle Management (LCM)?
In Shared Services Console. The use case for exporting and importing Deployment Metadata is for archiving configuration information in a version control system to monitor changes in the configuration.friendlyNames=false in the following file:
c:\hyperion\common\utilities\lcm\9. If you use the migration definition file created by Shared Services Console. you can integrate LCM with existing workflow systems.q
Running migrations with fileSystem. Migrating this data would corrupt the configuration information on the target and would make the system unusable. it needs to be programmatically modified to add the user’s credentials to it. it can be invoked by the production management system via command line or Java API.
What is the communication flow between services when using Lifecycle Management (LCM) command line utility?
The following graphic depicts the communication flow between services and the LCM command line utility:
124 Lifecycle Management
. This information should not be migrated from one environment to another (for example. These credentials need to be in plain text when inserted into the XML file but will be automatically encrypted the first time the migration is executed. In most cases.5.

Audit: The LCM command line utility audits each LCM action. 5. Process each application migration request: The LCM command line utility now processes each import or export operation by contacting the appropriate product. The CSS component requires the Shared Services Registry database to be running during initialization. 6. 3. the LCM command line utility contacts the Shared Services Native Directory (either OpenLDAP or OID) to ensure that the user’s role authorizes him to perform the requested operation.1.
What is the communication flow between services when using Lifecycle Management (LCM) command line utility? 125
. Publish status report: The LCM command line utility contacts the Shared Services web application over HTTP to publish the migration status report. Authorize: After authentication. Process Migration Definition File: The LCM command line utility first reads and processes the migration definition file. 7. Registration Information: The LCM command line utility communicates with the Shared Services Registry and the Shared Service database to obtain product registration information. by contacting the Shared Services web application over HTTP. 4. Authenticate: The LCM command line utility then authenticates the user with either the corporate LDAP directory or other provider configured for use with Shared Services. if auditing is enabled. 2.

As a best practice. the users can be imported with the “Create/Update” destination option. it is advised that native user passwords not be migrated across environments. if the user already exists on the target system and has changed the password. because the user can have a different password in the Development environment versus production. For more information on migrating security. select and migrate the application in the Shared Services/Native Directory/Assigned Roles node. This deletes the existing users in the target environment and removes all provisioning information associated with the users. The user should be responsible for password maintenance in the environment. the recommended approach is to delete the existing users during migration by choosing the “Delete” destination option. See below for a sample. If passwords need to be migrated.
Can I use Lifecycle Management (LCM) to migrate provisioning information for only one application?
Yes. see “Migrating Native Directory (Security)” in the “Working with Lifecycle Management and Shared Services Console” chapter of the Lifecycle Management Guide. After the delete operation completes. the password could be overwritten. and the users will be created with the passwords provided in the migration files.
126 Lifecycle Management
.When using Lifecycle Management (LCM) to migrate security from one server to another. why isn't the password updated after migration?
This is expected behavior.

Can I use Lifecycle Management (LCM) to migrate provisioning information for only one application? 127
. you may also need to migrate them.Since users and groups are shared between all applications.

128 Lifecycle Management
.

............... Oracle Support may require the issue to be diagnosed in an environment without unsupported load balancing technologies when there is reason to believe that the environment is a contributing factor................... EPM System embeds a default Apache Web server that many customers use as a software load balancer... Oracle will resume support. Oracle support will recommend the appropriate solution on a supported or non-load-balanced environment............... If the customer demonstrates that the Oracle solution does not work when running in a supported or non-load-balanced environment................. 130 Is Oracle ClusterWare support similar to Microsoft Clustering Services.. In addition....... 130 Does Shared Services support Oracle Clusterware for high availability? .................... There have been requests to use specific hardware load balancers............ the customer will be referred to their load balancing technology vendor for support. 132 Does Essbase support Oracle ClusterWare? ................ Oracle Support may refer customers to the unsupported load balancing technology vendor for issues that cannot be otherwise duplicated......... Oracle has not certified the use of other load balancing technologies with EPM System........... 131 I performed the Shared Services Active-Active clustering configuration on WebLogic Server according to the instructions in the published whitepaper.................... Oracle Support will assist customers running with other load balancing technologies as follows: When a customer logs a previously unreported issue................................................. 132
Are load balancers supported in EPM System?
Several EPM System products offer native load-balancing capabilities.............6
In This Chapter
High Availability
Are load balancers supported in EPM System?... When a problem has been previously reported and a resolution is available.. Why does this happen? ................. WebLogic Server errors out with the message “Could not obtain an exclusive lock on folder xxx”......... and do I need to reproduce an issue outside of ClusterWare in order for Support to log it as an issue? ......................... 132 Is a two-node-cluster configuration for Oracle Business Intelligence Suite Enterprise Edition (OBIEE) supported for integration with EPM Workspace? .............. Support for these load balancing technologies is provided only as expressed in the EPM System High Availability Guide........ including logging a bug with Oracle Development for investigation if required....... 131 Does Reporting and Analysis support Oracle Clusterware for high availability? ............ When I start the second node of Shared Services....... however...................................... If that solution does not work in the load-balanced environment...... 129 Is Veritas Cluster Server supported with EPM System? ........
Are load balancers supported in EPM System? 129
...

1. the customer will be referred to their cluster software vendor for support. including logging a bug with Oracle Development for investigation if required. BI Core Services and / or OpenLDAP with MSCS as follows: When a customer logs a previously unreported issue. Oracle Support may require the issue to be diagnosed in a non clustered environment when there is reason to believe that the environment is a contributing factor. If the customer demonstrates that the Oracle solution does not work when running in a non-MSCS environment. Oracle will resume support. Support for these High Availability technologies is not the same. there may be deployment and performance implications. Veritas Clustering Services is supported but not certified. as this can result in degraded product performance.
Is Veritas Cluster Server supported with EPM System?
Starting with release 11. While Oracle’s Hyperion products are expected to function properly in MSCS Clustered environments. When a problem has been previously reported and a resolution is available. Oracle ClusterWare is fully supported. When a problem has been previously reported and a resolution is available. Oracle support will recommend the appropriate solution on a non-MSCS environment. Oracle has not certified clustering of EPM System using Microsoft Cluster Services (MSCS). as provided for in other sections of this document. the customer will be referred to their cluster software vendor for support. Oracle Support will assist customers running Oracle’s Hyperion Shared Services.
Is Oracle ClusterWare support similar to Microsoft Clustering Services. An analysis should be performed within the context of the specific application to be deployed to a load-balanced environment to mitigate potential resource contentions.1. and do I need to reproduce an issue outside of ClusterWare in order for Support to log it as an issue?
The short answer is no. If that solution does not work in the clustered environment. which can invalidate
130 High Availability
. Oracle will resume support. Oracle Support may require the issue to be diagnosed in a non-clustered environment when there is reason to believe that the environment is a contributing factor.1.While Oracle’s Hyperion products are expected to function properly in load-balanced environments. there may be deployment and performance implications. Oracle support will recommend the appropriate solution on a non-clustered environment. Oracle Support may refer customers to the third-party vendor for issues that can not be duplicated in non-clustered environments. If that solution does not work in the clustered environment. However. Specifically this means that when a customer logs a previously unreported issue. If the customer demonstrates that the Oracle solution does not work when running in a non-clustered environment. which can invalidate Oracle’s applicable recommendations. Oracle Support may refer customers to the third-party vendor for issues that can not be duplicated in non-clustered environments. including logging a bug with Oracle Development for investigation if required.

UNIX: http://www.
Does Shared Services support Oracle Clusterware for high availability?
Shared Services supports Oracle Clusterware in Shared Services 9.3.pdf
Does Reporting and Analysis support Oracle Clusterware for high availability?
Reporting and Analysis 9.1. Reporting and Analysis does not require Oracle Clusterware to achieve high availability.
Does Shared Services support Oracle Clusterware for high availability? 131
. UNIX: http://www.3.pdf Windows: http://www.com/technology/products/bi/pdf/hss_randa_ha_unix. but uses replication instead.oracle. An analysis should be performed within the context of the specific application to be hosted in the clustered environment to mitigate potential resource contentions.com/technology/products/bi/pdf/hss_randa_ha_unix. 11. and Web Analysis services) supports Oracle Clusterware on Windows and UNIX.1.1.Oracle’s applicable recommendations. see “Reporting and Analysis Clustering” in Chapter 2 of the High Availability Guide.oracle.pdf
q
q
q
Shared Services. Windows: http://www.x.oracle.1 (Core services.pdf
q
On the 11.x. For instructions to use Oracle Clusterware with Reporting and Analysis 9. 9.1. 11.3.oracle. as this can result in degraded deployment and of product performance. see the whitepapers posted to the whitepaper library on OTN:
q
Shared Services.1. For instructions to use Oracle Clusterware with Shared Services.1.com/technology/products/bi/pdf/hss_randa_ha_windows. Financial Reporting.x codeline. Interactive Reporting.1.3.com/technology/products/bi/pdf/epm-hss-high-avail-windowswhitepaper. see the following whitepapers in the whitepaper library on OTN:
q
UNIX: http://www.oracle. Windows: http://www.1 Service Pack 1 and in the 11.com/technology/products/bi/pdf/hss_randa_ha_windows.x releases (Windows and UNIX).oracle.1.1.1. For more information.1.3.pdf Shared Services.pdf Shared Services. 9.com/technology/products/bi/pdf/epm-hss-high-avail-unixwhitepaper.

this causes the second node of WebLogic Application Server to error-out during startup. When I start the second node of Shared Services.2 and later releases documented that the Shared Services Web application should be deployed to the shared disk.2 using Oracle Clusterware is available in the EPM/BI whitepaper library. all of which should result in a single apparent Web front-end for the OBIEE Web user interface.1.1.1. EPM System supports using Oracle ClusterWare to set up an Active/Passive (failover) configuration of Essbase Server.1.2 and 11. However.1.1 “Registering the Oracle BI Presentation Services Components with the Hyperion Registry”.com/technology/products/bi/pdf/epm_hss_active_active_clusters_wp. This will record the correct URL into the Shared Services Registry as a single Web application node that plugs into EPM Workspace. originally published in April 2009.1. there are multiple ways to cluster OBIEE.1.
132 High Availability
. for Essbase releases 11.5.2 Active-Active Clusters white paper.oracle. for the 11. The best way to integrate the Web interface of the clustered OBIEE would be to use the browser to go the “single point of entry” for the OBIEE Web interface.1. especially section 11. WebLogic Server errors out with the message “Could not obtain an exclusive lock on folder xxx”.pdf
Does Essbase support Oracle ClusterWare?
Yes. A whitepaper that provides instructions on setting up an Active/Passive (failover) configuration of Essbase 11.1.3.I performed the Shared Services Active-Active clustering configuration on WebLogic Server according to the instructions in the published whitepaper. The fix is to deploy Shared Services to a local disk on both nodes and configure the Lifecycle Management (LCM) functionality to point to the shared disk.3. This would be the load-balanced Web front-end (such as Apache) that is manually configured (10g). Then perform registration from this instance. Using the above suggestion. The updated white paper is posted at: http://www. Why does this happen?
The Oracle Hyperion Enterprise Performance Management System Hyperion Shared Services Release 11. follow the procedure for registering a single instance in the Oracle Business Intelligence New Features Guide.1.
Is a two-node-cluster configuration for Oracle Business Intelligence Suite Enterprise Edition (OBIEE) supported for integration with EPM Workspace?
Yes.

.....1......................................................1.........................x: EPM System 11.....................................................................................x? .................x Release? ..................7
In This Chapter
Product and Miscellaneous Tips
Where can I find all documentation related to EPM System products? ...1..1: System 9 documentation is hosted live in the Documentation Library on OTN:
Where can I find all documentation related to EPM System products? 133
. Security and LCM documentation are on the Foundation Services tab in the Shared Services area.....1.......................... is it related to the locale of the installation? ............1.................................... 134 Where can I find a list of all “Oracle By Examples” on EPM Infrastructure?........................oracle................ icons are flickering and appear to be downloaded constantly.1.....................................1................................... 133 How can I get previous issues of Tips and Tricks from EPM Infrastructure Development?........... If I close the browser and start again........1.......................3............................x is slow.x documentation is hosted live in the Documentation Library on OTN: http://download....... 135 Are there any Oracle Internal Training materials for EPM System Installation and Configuration? ...... 138 Where can I find the Financial Management SDK for 11.. 136 The first login to Workspace 11........htm Installation documentation and readme files are on the Deployment tab................. 141
Where can I find all documentation related to EPM System products?
q
11................................................ 135 Where can I find a list of all EPM System logs? ...................... 137 What is the recommended way to delete Planning applications and their related database tables? ..................1.. 140 Why can I launch Oracle Business Intelligence Enterprise Edition (OBIEE) directly but I cannot launch it from Workspace? ............................................ 136 Can I run a Planning deployment in multiple languages? If so......com/docs/cd/E12825_01/index...........
q
9................................. How can I fix this? .......... These files are updated on a monthly basis....... 134 Is there any documentation on how to use Oracle Enterprise Manager (OEM) with Hyperion products? .............. it is still slow.................. 138 Using EPM Workspace in Internet Explorer............................................................................1. so check this site frequently to get the latest versions...... What could be wrong? ......... 134 Is there a Financial Management Tuning Guide for the Oracle Database 11..........

Oracle Enterprise Performance Management / Business Intelligence Tips page: http://www. so check this site frequently to get the latest versions.oracle.oracle.1.com You can search on “Tips n Tricks” or on individual tip content.oracle.com/technology/obe/hyp_ss/ssindex. and security documentation are on the Installation & Backup tab.1.com) from the HFM development team. but not Oracle database tuning. readme files.
q
An OBE for EPM System 11.x installation and configuration is located here: http:// www.1.1. but there will be a presentation during the week of July 15th by Development that focuses on memory optimization of the engine. These files are sometimes updated monthly.com/technology/products/bi/performance-management/resourcelibrary. This presentation is open to Oracle Support and Services.1.com/docs/cd/E10530_01/welcome.oracle.http://download.
q
My Oracle Support (previously “Metalink”): http://support.x Release?
There is no Financial Management-specific database tuning guide available for the Oracle 11.x database.com/technology/obe/hyp_epm/icindex.Farzaneh@oracle.1.
Where can I find a list of all “Oracle By Examples” on EPM Infrastructure?
Oracle by Examples (OBEs) are tutorials that provide step-by-step instructions for performing a variety of tasks.
Is there a Financial Management Tuning Guide for the Oracle Database 11.htm
q
134 Product and Miscellaneous Tips
.oracle. Interested parties can sign up by contacting Ramin Farzaneh (Ramin.html Installation documentation.html Each previous issue of Tips and Tricks is posted. as well as a consolidated document that contains all previous issues.
How can I get previous issues of Tips and Tricks from EPM Infrastructure Development?
There are two places you can find back issues of the EPM Infrastructure Tips and Tricks document:
q
On OTN.htm Product-specific OBEs for performing first-time Lifecycle Management (LCM) migrations are located here: http://www.

shtml For Reporting & Analysis: http://currdev. not just HFM.hyperion. 2. but there are also components for managing generic services and the like. You can download the Technology Preview from My Oracle Support (MetaLink3): 1.1.com/technology/ obe/start/index.hyperion.com/technology/products/bi/foundation-services/epm-sys-mgmtpack. and click “Go”. there is training that is free for Oracle employees only:
q
For Planning: http://currdev.
Are there any Oracle Internal Training materials for EPM System Installation and Configuration?
Yes. Information is available here: http://www. Siebel and Hyperion Products” link. 4.1.1. so it is applicable to all EPM System products.shtml For Financial Management: http://currdev. The Technology Preview for EPM System Management Pack is not a “product” so is not supported. Enter “7388231” for “Patch Number / Name”.com/development/applications/ pln_install_11. Click “Simple Search”.oracle. 3. This preview is for Hyperion Financial Management (HFM) domain products.oracle.com/development/bi/ BI1111_Admin.html (scroll down to the “Oracle Business Intelligence and Enterprise Performance Management” section)
Is there any documentation on how to use Oracle Enterprise Manager (OEM) with Hyperion products?
There is a Technology Preview for EPM System Management Pack. Click the “Patches and Downloads” tab.1. Click the “Oracle. From there. This document applies to all EPM System products. select Microsoft Windows (32-bit).q
The full list of OBEs for EPM System are located here: http://www.html This page provides a link to a whitepaper called “Using Oracle Enterprise Manager Grid Control to Monitor Oracle’s Hyperion Products”. you can download the preview.html
q
q
Customers can also access this content via Oracle University:
Is there any documentation on how to use Oracle Enterprise Manager (OEM) with Hyperion products? 135
.com/development/applications/ fm_install_11. but you can get a good sense for what is coming.hyperion.

0. and information about logging levels. If I close the browser and start again. You can use the EPM System Diagnostics tool to validate that everything is started. Otherwise.com/pls/ web_prod-plq-dad/db_pages. This guide provides a list of log files.1.1.getCourseDesc? dc=D70058GC10&p_org_id=10010… =US
q
q
Where can I find a list of all EPM System logs?
Information about EPM System logs is included in the EPM System Installation and Configuration Troubleshooting Guide for the 11. run: Windows: HYPERION_HOME/common/validation/9.0/validate.oracle. From the Workspace machine. How can I fix this?
If products that are accessed via Workspace are not started.1 Administration: http://education. To avoid this problem. This report will show errors if any of the products are not started.5.com/pls/web_prod-plq-dad/db_pages.oracle. it is still slow. attempts to login to the product from Workspace are slow.1. After the first failure. If the product is not started. like the example below for Foundation/Workspace:
136 Product and Miscellaneous Tips
.html.1 Installation & Configuration: http:// education. Workspace does not try to fetch it again. the report shows all “green” results.sh The report is generated in: HYPERION_HOME/common/validation/9.x is slow. descriptions.getCourseDesc? dc=D70052GC10&p_org_id=10010… =US Hyperion Reporting & Analysis 11.com/pls/web_prod-plq-dad/db_pages. the browser waits for the connection to the product to time out.0.1. ensure that all installed products accessed via Workspace are started.3.1.5.
The first login to Workspace 11.1 releases.0/reports The report is named: validation_report_<timestamp>.q
Oracle Hyperion Financial Management 11.oracle. This happens because Workspace is attempting to fetch the “global” string bundles from each product.bat UNIX: HYPERION_HOME/common/validation/9.5.1 Installation & Configuration: http:// education.1.getCourseDesc?dc=D70060GC10&p_org_id=10010… =US Oracle Hyperion Planning 11.x and 9.0/validate.1.0.

Can I run a Planning deployment in multiple languages? If so. that other reasons may cause similar behavior. ensure that the Oracle database supports Unicode mode. see “Entering Data Source Information” and “Alias Dimensions” in the Oracle Hyperion Enterprise Performance Management Management Architect Administrator's Guide. For Planning applications created in Performance Management Architecture. however. The supported languages are independent of server locale settings on which Planning is installed.It should be noted. For localized deployments. such as proxy malfunctioning and performance issues with backend services. is it related to the locale of the installation? 137
. For Classic Planning applications. is it related to the locale of the installation?
Planning applications for all localized versions use the browser settings to determine locale. You can also set up alias tables to display dimension members in different languages.
Can I run a Planning deployment in multiple languages? If so. see “Creating Data Sources” and “About Alias Tables” in the Oracle Hyperion Planning Administrator's Guide. and that the data source for the Planning application is set to Unicode mode.

This may cause significant performance degradation. This issue has been experienced with Internet Explorer 6. See "Deleting Applications" in the Oracle Hyperion Planning Administrator's Guide. and results in the impression that icons are flickering in EPM Workspace. ‘Automatically’) are not used. ‘Always’. See "Deleting Applications" in the Oracle Hyperion Enterprise Performance Management Management Architect Administrator's Guide. Internet Explorer does not cache no matter what setting is applied. What could be wrong?
In some cases.What is the recommended way to delete Planning applications and their related database tables?
Both Planning Classic and EPMA have a delete application feature that deletes the application and its related database tables. For Classic Planning: Use the Classic Application Wizard in Planning to delete Classic Planning applications. This forces the browser to cache the static content. The data source used to connect to this application remains in the Planning System database and gets a -1 in the app_id field used to point to the application record in another table before the application was deleted. No additional steps should be required to delete a Core Planning application. The solution is to use content expiration headers at the Web server level for static content. ‘Every visit to the page’.
138 Product and Miscellaneous Tips
. The Delete Application button also deletes the application and all associated cubes/plan types from Essbase. The Delete Application button deletes all Planning created HSP_xxx tables in the Planning relational database and all the records pertaining to that application in the Planning System database. Internet Explorer does not cache static content. Deleting the “application view” from the EPMA Application library deletes everything deleted by the Delete Application button and in addition deletes some records pertaining to this app from EPMA relational tables. The Internet Explorer settings pertaining to caching (‘Never’. For EPMA: Use the Application Library in EPMA to delete applications. An EPMA application will not show up in the list in Classic Planning Administration where the Delete Application button is displayed.
Using EPM Workspace in Internet Explorer. no matter what Internet Explorer cache setting is set. especially for high latency networks. icons are flickering and appear to be downloaded constantly. with SSL enabled and HTTP compression enabled on the Web server. A Planning application that has been upgraded to EPMA has to be deleted from the EPMA Application Library.

Using EPM Workspace in Internet Explorer.® To apply content expiration headers. follow this procedure:
1
Locate the static content folder in the Web server directory structure:
2
Click Properties. What could be wrong? 139
. Select the checkbox for Enable content expiration. and then select the HTTP Headers tab. and specify the expiration time to more than 1 day. icons are flickering and appear to be downloaded constantly.

1.
Where can I find the Financial Management SDK for 11.3
Perform this task for all other static content folders.html
140 Product and Miscellaneous Tips
.x?
The information on the Financial Management Software Developer’s KIT (SDK) can be found on Oracle Technology Network here: http://www.1.c> ExpiresActive on ExpiresByType image/gif "access plus 1 months" </IfModule>
This should correct the problems with flickering icons.oracle.com/technology/products/bi/ performance-management/financial-management.so <IfModule mod_expires.
If you are using Apache: Ensure that the httpd.conf file contains this entry:
LoadModule expires_module modules/mod_expires.

war file. A request from Workspace to OBIEE does not set the content type of the response correctly.war and redeploy the .x is running on WebLogic Server and the front-end Web server for Workspace is IIS.xml in the OBIEE war file analytics. This issue is seen when OBIEE 10.Why can I launch Oracle Business Intelligence Enterprise Edition (OBIEE) directly but I cannot launch it from Workspace?
A Javascript error is returned in the browser (“Object not found” in line 5250).
<mime-mapping> <extension>xml</extension> <mime-type>text/xml</mime-type> </mime-mapping> <extension>xsd</extension> <mime-type>text/xml</mime-type>
Why can I launch Oracle Business Intelligence Enterprise Edition (OBIEE) directly but I cannot launch it from Workspace? 141
. The fix is to add the following to web.